diff --git a/api/hypershift/v1beta1/azure.go b/api/hypershift/v1beta1/azure.go index f27fcd2e93c..f950d82e230 100644 --- a/api/hypershift/v1beta1/azure.go +++ b/api/hypershift/v1beta1/azure.go @@ -460,7 +460,11 @@ type AzureResourceManagedIdentities struct { // +kubebuilder:validation:Required ControlPlane ControlPlaneManagedIdentities `json:"controlPlane"` - // Future placeholder - DataPlaneMIs * DataPlaneManagedIdentities + // dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with + // Azure's API. + // + // +kubebuilder:validation:Required + DataPlane DataPlaneManagedIdentities `json:"dataPlane"` } // ManagedIdentity contains the client ID, and its certificate name, of a managed identity. This managed identity is @@ -535,6 +539,32 @@ type ControlPlaneManagedIdentities struct { File ManagedIdentity `json:"file"` } +// DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to +// authenticate with Azure's API. +type DataPlaneManagedIdentities struct { + // imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image + //registry controller. + // + // +kubebuilder:validation:Required + ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID"` + + // diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver. + // + // +kubebuilder:validation:Required + DiskMSIClientID string `json:"diskMSIClientID"` + + // fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver. + // + // +kubebuilder:validation:Required + FileMSIClientID string `json:"fileMSIClientID"` + + // cloudNetworkConfigMSIClientID is the client ID of a pre-existing managed identity ID associated with the cloud + // network config controller. + // + // +kubebuilder:validation:Required + CloudNetworkConfigMSIClientID string `json:"cloudNetworkConfigMSIClientID"` +} + // AzureKMSSpec defines metadata about the configuration of the Azure KMS Secret Encryption provider using Azure key vault type AzureKMSSpec struct { // ActiveKey defines the active key used to encrypt new secrets diff --git a/api/hypershift/v1beta1/zz_generated.deepcopy.go b/api/hypershift/v1beta1/zz_generated.deepcopy.go index da73996c47c..6a13af6d526 100644 --- a/api/hypershift/v1beta1/zz_generated.deepcopy.go +++ b/api/hypershift/v1beta1/zz_generated.deepcopy.go @@ -649,6 +649,7 @@ func (in *AzurePlatformSpec) DeepCopy() *AzurePlatformSpec { func (in *AzureResourceManagedIdentities) DeepCopyInto(out *AzureResourceManagedIdentities) { *out = *in out.ControlPlane = in.ControlPlane + out.DataPlane = in.DataPlane } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureResourceManagedIdentities. @@ -1124,6 +1125,21 @@ func (in *DNSSpec) DeepCopy() *DNSSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DataPlaneManagedIdentities) DeepCopyInto(out *DataPlaneManagedIdentities) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataPlaneManagedIdentities. +func (in *DataPlaneManagedIdentities) DeepCopy() *DataPlaneManagedIdentities { + if in == nil { + return nil + } + out := new(DataPlaneManagedIdentities) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Diagnostics) DeepCopyInto(out *Diagnostics) { *out = *in diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml deleted file mode 100644 index 3eaaf2c4cfc..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests.yaml +++ /dev/null @@ -1,230 +0,0 @@ -awsendpointservices.hypershift.openshift.io: - Annotations: {} - ApprovedPRNumber: "" - CRDName: awsendpointservices.hypershift.openshift.io - Capability: "" - Category: "" - FeatureGates: [] - FilenameOperatorName: "" - FilenameOperatorOrdering: "" - FilenameRunLevel: "" - GroupName: hypershift.openshift.io - HasStatus: true - KindName: AWSEndpointService - Labels: {} - PluralName: awsendpointservices - PrinterColumns: [] - Scope: Namespaced - ShortNames: null - TopLevelFeatureGates: [] - Version: v1beta1 - -certificatesigningrequestapprovals.hypershift.openshift.io: - Annotations: {} - ApprovedPRNumber: "" - CRDName: certificatesigningrequestapprovals.hypershift.openshift.io - Capability: "" - Category: "" - FeatureGates: [] - FilenameOperatorName: "" - FilenameOperatorOrdering: "" - FilenameRunLevel: "" - GroupName: hypershift.openshift.io - HasStatus: false - KindName: CertificateSigningRequestApproval - Labels: {} - PluralName: certificatesigningrequestapprovals - PrinterColumns: [] - Scope: Namespaced - ShortNames: - - csra - - csras - TopLevelFeatureGates: [] - Version: v1beta1 - -controlplanecomponents.hypershift.openshift.io: - Annotations: {} - ApprovedPRNumber: "" - CRDName: controlplanecomponents.hypershift.openshift.io - Capability: "" - Category: "" - FeatureGates: - - ControlPlaneV2 - FilenameOperatorName: "" - FilenameOperatorOrdering: "" - FilenameRunLevel: "" - GroupName: hypershift.openshift.io - HasStatus: true - KindName: ControlPlaneComponent - Labels: {} - PluralName: controlplanecomponents - PrinterColumns: - - description: Version - jsonPath: .status.version - name: Version - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - - description: ProgressingMessage - jsonPath: .status.conditions[?(@.type=="Progressing")].message - name: ProgressingMessage - priority: 1 - type: string - Scope: Namespaced - ShortNames: - - cpc - - cpcs - TopLevelFeatureGates: - - ControlPlaneV2 - Version: v1beta1 - -hostedclusters.hypershift.openshift.io: - Annotations: {} - ApprovedPRNumber: "" - CRDName: hostedclusters.hypershift.openshift.io - Capability: "" - Category: "" - FeatureGates: - - AROHCPManagedIdentities - - DynamicResourceAllocation - - ExternalOIDC - - NetworkDiagnosticsConfig - - OpenStack - FilenameOperatorName: "" - FilenameOperatorOrdering: "" - FilenameRunLevel: "" - GroupName: hypershift.openshift.io - HasStatus: true - KindName: HostedCluster - Labels: {} - PluralName: hostedclusters - PrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - Scope: Namespaced - ShortNames: - - hc - - hcs - TopLevelFeatureGates: [] - Version: v1beta1 - -hostedcontrolplanes.hypershift.openshift.io: - Annotations: {} - ApprovedPRNumber: "" - CRDName: hostedcontrolplanes.hypershift.openshift.io - Capability: "" - Category: cluster-api - FeatureGates: - - AROHCPManagedIdentities - - DynamicResourceAllocation - - ExternalOIDC - - NetworkDiagnosticsConfig - - OpenStack - FilenameOperatorName: "" - FilenameOperatorOrdering: "" - FilenameRunLevel: "" - GroupName: hypershift.openshift.io - HasStatus: true - KindName: HostedControlPlane - Labels: {} - PluralName: hostedcontrolplanes - PrinterColumns: [] - Scope: Namespaced - ShortNames: - - hcp - - hcps - TopLevelFeatureGates: [] - Version: v1beta1 - -nodepools.hypershift.openshift.io: - Annotations: {} - ApprovedPRNumber: "" - CRDName: nodepools.hypershift.openshift.io - Capability: "" - Category: "" - FeatureGates: - - OpenStack - FilenameOperatorName: "" - FilenameOperatorOrdering: "" - FilenameRunLevel: "" - GroupName: hypershift.openshift.io - HasStatus: true - KindName: NodePool - Labels: {} - PluralName: nodepools - PrinterColumns: - - description: Cluster - jsonPath: .spec.clusterName - name: Cluster - type: string - - description: Desired Nodes - jsonPath: .spec.replicas - name: Desired Nodes - type: integer - - description: Available Nodes - jsonPath: .status.replicas - name: Current Nodes - type: integer - - description: Autoscaling Enabled - jsonPath: .status.conditions[?(@.type=="AutoscalingEnabled")].status - name: Autoscaling - type: string - - description: Node Autorepair Enabled - jsonPath: .status.conditions[?(@.type=="AutorepairEnabled")].status - name: Autorepair - type: string - - description: Current version - jsonPath: .status.version - name: Version - type: string - - description: UpdatingVersion in progress - jsonPath: .status.conditions[?(@.type=="UpdatingVersion")].status - name: UpdatingVersion - type: string - - description: UpdatingConfig in progress - jsonPath: .status.conditions[?(@.type=="UpdatingConfig")].status - name: UpdatingConfig - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Message - type: string - Scope: Namespaced - ShortNames: - - np - - nps - TopLevelFeatureGates: [] - Version: v1beta1 - diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/awsendpointservices.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/awsendpointservices.hypershift.openshift.io/AAA_ungated.yaml deleted file mode 100644 index a48daccd4f5..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/awsendpointservices.hypershift.openshift.io/AAA_ungated.yaml +++ /dev/null @@ -1,178 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/: "true" - name: awsendpointservices.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: AWSEndpointService - listKind: AWSEndpointServiceList - plural: awsendpointservices - singular: awsendpointservice - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: AWSEndpointService specifies a request for an Endpoint Service - in AWS - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AWSEndpointServiceSpec defines the desired state of AWSEndpointService - properties: - networkLoadBalancerName: - description: The name of the NLB for which an Endpoint Service should - be configured - type: string - resourceTags: - description: Tags to apply to the EndpointService - items: - description: AWSResourceTag is a tag to apply to AWS resources created - for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - type: array - subnetIDs: - description: SubnetIDs is the list of subnet IDs to which guest nodes - can attach - items: - type: string - type: array - required: - - networkLoadBalancerName - type: object - status: - description: AWSEndpointServiceStatus defines the observed state of AWSEndpointService - properties: - conditions: - description: |- - Conditions contains details for the current state of the Endpoint Service - request If there is an error processing the request e.g. the NLB doesn't - exist, then the Available condition will be false, reason AWSErrorReason, - and the error reported in the message. - - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - dnsNames: - description: DNSName are the names for the records created in the - hypershift private zone - items: - type: string - type: array - dnsZoneID: - description: DNSZoneID is ID for the hypershift private zone - type: string - endpointID: - description: EndpointID is the ID of the Endpoint created in the guest - VPC - type: string - endpointServiceName: - description: |- - EndpointServiceName is the name of the Endpoint Service created in the - management VPC - type: string - securityGroupID: - description: SecurityGroupID is the ID for the VPC endpoint SecurityGroup - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/certificatesigningrequestapprovals.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/certificatesigningrequestapprovals.hypershift.openshift.io/AAA_ungated.yaml deleted file mode 100644 index 74e52281acb..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/certificatesigningrequestapprovals.hypershift.openshift.io/AAA_ungated.yaml +++ /dev/null @@ -1,52 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/: "true" - name: certificatesigningrequestapprovals.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: CertificateSigningRequestApproval - listKind: CertificateSigningRequestApprovalList - plural: certificatesigningrequestapprovals - shortNames: - - csra - - csras - singular: certificatesigningrequestapproval - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: CertificateSigningRequestApproval defines the desired state of - CertificateSigningRequestApproval - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CertificateSigningRequestApprovalSpec defines the desired - state of CertificateSigningRequestApproval - type: object - status: - description: CertificateSigningRequestApprovalStatus defines the observed - state of CertificateSigningRequestApproval - type: object - type: object - served: true - storage: true diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/controlplanecomponents.hypershift.openshift.io/ControlPlaneV2.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/controlplanecomponents.hypershift.openshift.io/ControlPlaneV2.yaml deleted file mode 100644 index 0917aafcab1..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/controlplanecomponents.hypershift.openshift.io/ControlPlaneV2.yaml +++ /dev/null @@ -1,164 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/ControlPlaneV2: "true" - name: controlplanecomponents.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: ControlPlaneComponent - listKind: ControlPlaneComponentList - plural: controlplanecomponents - shortNames: - - cpc - - cpcs - singular: controlplanecomponent - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version - name: Version - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - - description: ProgressingMessage - jsonPath: .status.conditions[?(@.type=="Progressing")].message - name: ProgressingMessage - priority: 1 - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: ControlPlaneComponent specifies the state of a ControlPlane Component - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ControlPlaneComponentSpec defines the desired state of ControlPlaneComponent - type: object - status: - description: ControlPlaneComponentStatus defines the observed state of - ControlPlaneComponent - properties: - conditions: - description: |- - Conditions contains details for the current state of the ControlPlane Component. - If there is an error, then the Available condition will be false. - - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - resources: - description: resources is a list of the resources reconciled by this - component. - items: - description: ComponentResource defines a resource reconciled by - a ControlPlaneComponent. - properties: - group: - description: group is the API group for this resource type. - type: string - kind: - description: kind is the name of the resource schema. - type: string - name: - description: name is the name of this resource. - type: string - required: - - group - - kind - - name - type: object - type: array - version: - description: version reports the current version of this component. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml deleted file mode 100644 index d09d26e207b..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml +++ /dev/null @@ -1,4381 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/: "true" - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml deleted file mode 100644 index f38ba92c6fe..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AROHCPManagedIdentities.yaml +++ /dev/null @@ -1,4626 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/AROHCPManagedIdentities: "true" - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - managedIdentities: - description: |- - managedIdentities contains the managed identities needed for HCP control plane and data plane components that - authenticate with Azure's API. - properties: - controlPlane: - description: |- - controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to - authenticate with Azure's API. - properties: - cloudProvider: - description: |- - cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller - manager. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - controlPlaneOperator: - description: controlPlaneOperator is a pre-existing - managed identity associated with the control plane - operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - disk: - description: diskClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - file: - description: fileClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - imageRegistry: - description: imageRegistry is a pre-existing managed - identity associated with the cluster-image-registry-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - ingress: - description: ingress is a pre-existing managed identity - associated with the cluster-ingress-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - managedIdentitiesKeyVault: - description: |- - managedIdentitiesKeyVault contains information on the management cluster's managed identities Azure Key Vault. - This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the - Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring - authentication with Azure API. - - More information on how the Secrets Store CSI driver works to do this can be found here: - https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. - properties: - name: - description: name is the name of the Azure Key - Vault on the management cluster. - type: string - tenantID: - description: tenantID is the tenant ID of the - Azure Key Vault on the management cluster. - type: string - required: - - name - - tenantID - type: object - network: - description: network is a pre-existing managed identity - associated with the cluster-network-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - nodePoolManagement: - description: nodePoolManagement is a pre-existing - managed identity associated with the operator managing - the NodePools. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - cloudProvider - - controlPlaneOperator - - disk - - file - - imageRegistry - - ingress - - managedIdentitiesKeyVault - - network - - nodePoolManagement - type: object - required: - - controlPlane - type: object - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - managedIdentities - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - kms: - description: kms is a pre-existing managed identity used - to authenticate with Azure KMS. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity must - be a valid UUID. It should be 5 groups of hyphen - separated hexadecimal characters in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - activeKey - - kms - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml deleted file mode 100644 index 9884c5cc088..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/DynamicResourceAllocation.yaml +++ /dev/null @@ -1,4390 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/DynamicResourceAllocation: "true" - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml deleted file mode 100644 index 5842600c38b..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml +++ /dev/null @@ -1,4611 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/ExternalOIDC: "true" - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml deleted file mode 100644 index b82bc2d413d..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml +++ /dev/null @@ -1,4521 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/NetworkDiagnosticsConfig: "true" - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml deleted file mode 100644 index 740c0c3df5c..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml +++ /dev/null @@ -1,4843 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/OpenStack: "true" - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - openstack: - description: OpenStack specifies configuration for clusters running - on OpenStack. - properties: - disableExternalNetwork: - description: |- - DisableExternalNetwork specifies whether or not to attempt to connect the cluster - to an external network. This allows for the creation of clusters when connecting - to an external network is not possible or desirable, e.g. if using a provider network. - type: boolean - externalNetwork: - description: |- - ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. - This option is ignored if DisableExternalNetwork is set to true. - - If ExternalNetwork is defined it must refer to exactly one external network. - - If ExternalNetwork is not defined or is empty the controller will use any - existing external network as long as there is only one. It is an - error if ExternalNetwork is not defined and there are multiple - external networks unless DisableExternalNetwork is also set. - - If ExternalNetwork is not defined and there are no external networks - the controller will proceed as though DisableExternalNetwork was set. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - identityRef: - description: |- - IdentityRef is a reference to a secret holding OpenStack credentials - to be used when reconciling the hosted cluster. - properties: - cloudName: - description: CloudName specifies the name of the entry - in the clouds.yaml file to use. - type: string - name: - description: |- - Name is the name of a secret in the same namespace as the resource being provisioned. - The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file. - The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate. - type: string - required: - - cloudName - - name - type: object - managedSubnets: - description: |- - ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, - and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster - MachineNetwork, and a router connected to the subnet. Currently only one IPv4 - subnet is supported. - items: - properties: - allocationPools: - description: |- - AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. - If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from - outside of these ranges manually. - items: - properties: - end: - description: End represents the end of the AlloctionPool, - that is the highest IP of the pool. - type: string - start: - description: Start represents the start of the - AllocationPool, that is the lowest IP of the - pool. - type: string - required: - - end - - start - type: object - type: array - dnsNameservers: - description: |- - DNSNameservers holds a list of DNS server addresses that will be provided when creating - the subnet. These addresses need to have the same IP version as CIDR. - items: - type: string - type: array - type: object - maxItems: 1 - type: array - x-kubernetes-list-type: atomic - network: - description: |- - Network specifies an existing network to use if no ManagedSubnets - are specified. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - networkMTU: - description: |- - NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. - This value will be used only if the Cluster actuator creates the network. - If left empty, the network will have the default MTU defined in Openstack network service. - To use this field, the Openstack installation requires the net-mtu neutron API extension. - type: integer - router: - description: |- - Router specifies an existing router to be used if ManagedSubnets are - specified. If specified, no new router will be created. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - router. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - router to filter by. - type: string - name: - description: Name is the name of the router to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the router - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the router to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - subnets: - description: |- - Subnets specifies existing subnets to use if not ManagedSubnets are - specified. All subnets must be in the network specified by Network. - There can be zero, one, or two subnets. If no subnets are specified, - all subnets in Network will be used. If 2 subnets are specified, one - must be IPv4 and the other IPv6. - items: - description: SubnetParam specifies an OpenStack subnet to - use. It may be specified by either ID or filter, but not - both. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select the - subnet. It must match exactly one subnet. - minProperties: 1 - properties: - cidr: - description: CIDR is the CIDR of the subnet to filter - by. - type: string - description: - description: Description is the description of the - subnet to filter by. - type: string - gatewayIP: - description: GatewayIP is the gateway IP of the - subnet to filter by. - type: string - ipVersion: - description: IPVersion is the IP version of the - subnet to filter by. - type: integer - ipv6AddressMode: - description: IPv6AddressMode is the IPv6 address - mode of the subnet to filter by. - type: string - ipv6RAMode: - description: IPv6RAMode is the IPv6 RA mode of the - subnet to filter by. - type: string - name: - description: Name is the name of the subnet to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the - subnet to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the uuid of the subnet. It will not - be validated. - format: uuid - type: string - type: object - maxItems: 2 - type: array - x-kubernetes-list-type: atomic - tags: - description: Tags to set on all resources in cluster which - support tags - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - identityRef - type: object - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml deleted file mode 100644 index 6e09dbecdeb..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml +++ /dev/null @@ -1,4304 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/: "true" - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AROHCPManagedIdentities.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AROHCPManagedIdentities.yaml deleted file mode 100644 index ea79568127a..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AROHCPManagedIdentities.yaml +++ /dev/null @@ -1,4549 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/AROHCPManagedIdentities: "true" - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - managedIdentities: - description: |- - managedIdentities contains the managed identities needed for HCP control plane and data plane components that - authenticate with Azure's API. - properties: - controlPlane: - description: |- - controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to - authenticate with Azure's API. - properties: - cloudProvider: - description: |- - cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller - manager. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - controlPlaneOperator: - description: controlPlaneOperator is a pre-existing - managed identity associated with the control plane - operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - disk: - description: diskClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - file: - description: fileClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - imageRegistry: - description: imageRegistry is a pre-existing managed - identity associated with the cluster-image-registry-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - ingress: - description: ingress is a pre-existing managed identity - associated with the cluster-ingress-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - managedIdentitiesKeyVault: - description: |- - managedIdentitiesKeyVault contains information on the management cluster's managed identities Azure Key Vault. - This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the - Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring - authentication with Azure API. - - More information on how the Secrets Store CSI driver works to do this can be found here: - https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. - properties: - name: - description: name is the name of the Azure Key - Vault on the management cluster. - type: string - tenantID: - description: tenantID is the tenant ID of the - Azure Key Vault on the management cluster. - type: string - required: - - name - - tenantID - type: object - network: - description: network is a pre-existing managed identity - associated with the cluster-network-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - nodePoolManagement: - description: nodePoolManagement is a pre-existing - managed identity associated with the operator managing - the NodePools. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - cloudProvider - - controlPlaneOperator - - disk - - file - - imageRegistry - - ingress - - managedIdentitiesKeyVault - - network - - nodePoolManagement - type: object - required: - - controlPlane - type: object - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - managedIdentities - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - kms: - description: kms is a pre-existing managed identity used - to authenticate with Azure KMS. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity must - be a valid UUID. It should be 5 groups of hyphen - separated hexadecimal characters in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - activeKey - - kms - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml deleted file mode 100644 index 3391c338f57..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/DynamicResourceAllocation.yaml +++ /dev/null @@ -1,4313 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/DynamicResourceAllocation: "true" - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml deleted file mode 100644 index 3b3d24179ae..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml +++ /dev/null @@ -1,4534 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/ExternalOIDC: "true" - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml deleted file mode 100644 index a2a1455ca15..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/NetworkDiagnosticsConfig.yaml +++ /dev/null @@ -1,4444 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/NetworkDiagnosticsConfig: "true" - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml deleted file mode 100644 index 98598d7fa89..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml +++ /dev/null @@ -1,4766 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/OpenStack: "true" - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - openstack: - description: OpenStack specifies configuration for clusters running - on OpenStack. - properties: - disableExternalNetwork: - description: |- - DisableExternalNetwork specifies whether or not to attempt to connect the cluster - to an external network. This allows for the creation of clusters when connecting - to an external network is not possible or desirable, e.g. if using a provider network. - type: boolean - externalNetwork: - description: |- - ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. - This option is ignored if DisableExternalNetwork is set to true. - - If ExternalNetwork is defined it must refer to exactly one external network. - - If ExternalNetwork is not defined or is empty the controller will use any - existing external network as long as there is only one. It is an - error if ExternalNetwork is not defined and there are multiple - external networks unless DisableExternalNetwork is also set. - - If ExternalNetwork is not defined and there are no external networks - the controller will proceed as though DisableExternalNetwork was set. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - identityRef: - description: |- - IdentityRef is a reference to a secret holding OpenStack credentials - to be used when reconciling the hosted cluster. - properties: - cloudName: - description: CloudName specifies the name of the entry - in the clouds.yaml file to use. - type: string - name: - description: |- - Name is the name of a secret in the same namespace as the resource being provisioned. - The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file. - The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate. - type: string - required: - - cloudName - - name - type: object - managedSubnets: - description: |- - ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, - and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster - MachineNetwork, and a router connected to the subnet. Currently only one IPv4 - subnet is supported. - items: - properties: - allocationPools: - description: |- - AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. - If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from - outside of these ranges manually. - items: - properties: - end: - description: End represents the end of the AlloctionPool, - that is the highest IP of the pool. - type: string - start: - description: Start represents the start of the - AllocationPool, that is the lowest IP of the - pool. - type: string - required: - - end - - start - type: object - type: array - dnsNameservers: - description: |- - DNSNameservers holds a list of DNS server addresses that will be provided when creating - the subnet. These addresses need to have the same IP version as CIDR. - items: - type: string - type: array - type: object - maxItems: 1 - type: array - x-kubernetes-list-type: atomic - network: - description: |- - Network specifies an existing network to use if no ManagedSubnets - are specified. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - networkMTU: - description: |- - NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. - This value will be used only if the Cluster actuator creates the network. - If left empty, the network will have the default MTU defined in Openstack network service. - To use this field, the Openstack installation requires the net-mtu neutron API extension. - type: integer - router: - description: |- - Router specifies an existing router to be used if ManagedSubnets are - specified. If specified, no new router will be created. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - router. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - router to filter by. - type: string - name: - description: Name is the name of the router to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the router - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the router to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - subnets: - description: |- - Subnets specifies existing subnets to use if not ManagedSubnets are - specified. All subnets must be in the network specified by Network. - There can be zero, one, or two subnets. If no subnets are specified, - all subnets in Network will be used. If 2 subnets are specified, one - must be IPv4 and the other IPv6. - items: - description: SubnetParam specifies an OpenStack subnet to - use. It may be specified by either ID or filter, but not - both. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select the - subnet. It must match exactly one subnet. - minProperties: 1 - properties: - cidr: - description: CIDR is the CIDR of the subnet to filter - by. - type: string - description: - description: Description is the description of the - subnet to filter by. - type: string - gatewayIP: - description: GatewayIP is the gateway IP of the - subnet to filter by. - type: string - ipVersion: - description: IPVersion is the IP version of the - subnet to filter by. - type: integer - ipv6AddressMode: - description: IPv6AddressMode is the IPv6 address - mode of the subnet to filter by. - type: string - ipv6RAMode: - description: IPv6RAMode is the IPv6 RA mode of the - subnet to filter by. - type: string - name: - description: Name is the name of the subnet to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the - subnet to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the uuid of the subnet. It will not - be validated. - format: uuid - type: string - type: object - maxItems: 2 - type: array - x-kubernetes-list-type: atomic - tags: - description: Tags to set on all resources in cluster which - support tags - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - identityRef - type: object - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/AAA_ungated.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/AAA_ungated.yaml deleted file mode 100644 index 64dcd72e924..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/AAA_ungated.yaml +++ /dev/null @@ -1,1433 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/: "true" - name: nodepools.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: NodePool - listKind: NodePoolList - plural: nodepools - shortNames: - - np - - nps - singular: nodepool - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster - jsonPath: .spec.clusterName - name: Cluster - type: string - - description: Desired Nodes - jsonPath: .spec.replicas - name: Desired Nodes - type: integer - - description: Available Nodes - jsonPath: .status.replicas - name: Current Nodes - type: integer - - description: Autoscaling Enabled - jsonPath: .status.conditions[?(@.type=="AutoscalingEnabled")].status - name: Autoscaling - type: string - - description: Node Autorepair Enabled - jsonPath: .status.conditions[?(@.type=="AutorepairEnabled")].status - name: Autorepair - type: string - - description: Current version - jsonPath: .status.version - name: Version - type: string - - description: UpdatingVersion in progress - jsonPath: .status.conditions[?(@.type=="UpdatingVersion")].status - name: UpdatingVersion - type: string - - description: UpdatingConfig in progress - jsonPath: .status.conditions[?(@.type=="UpdatingConfig")].status - name: UpdatingConfig - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - NodePool is a scalable set of worker nodes attached to a HostedCluster. - NodePool machine architectures are uniform within a given pool, and are - independent of the control plane’s underlying machine architecture. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the NodePool. - properties: - arch: - default: amd64 - description: "arch is the preferred processor architecture for the - NodePool. Different platforms might have different supported architectures.\n\thttps://github.com/kubernetes/kubernetes/issues/108768#issuecomment-1253912215" - enum: - - arm64 - - amd64 - - ppc64le - type: string - x-kubernetes-validations: - - message: Arch is immutable - rule: self == oldSelf - autoScaling: - description: |- - autoscaling specifies auto-scaling behavior for the NodePool. - autoscaling is mutually exclusive with replicas. If replicas is set, this field must be ommited. - properties: - max: - description: Max is the maximum number of nodes allowed in the - pool. Must be >= 1 and >= Min. - format: int32 - minimum: 1 - type: integer - min: - description: Min is the minimum number of nodes to maintain in - the pool. Must be >= 1 and <= .Max. - format: int32 - minimum: 1 - type: integer - required: - - max - - min - type: object - x-kubernetes-validations: - - message: max must be equal or greater than min - rule: self.max >= self.min - clusterName: - description: |- - clusterName is the name of the HostedCluster this NodePool belongs to. - If a HostedCluster with this name doesn't exist, the controller will no-op until it exists. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: ClusterName is immutable - rule: self == oldSelf - - message: clusterName must consist of lowercase alphanumeric characters - or '-', start and end with an alphanumeric character, and be between - 1 and 253 characters - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') - config: - description: |- - config is a list of references to ConfigMaps containing serialized - MachineConfig resources to be injected into the ignition configurations of - nodes in the NodePool. The MachineConfig API schema is defined here: - - https://github.com/openshift/machine-config-operator/blob/18963e4f8fe66e8c513ca4b131620760a414997f/pkg/apis/machineconfiguration.openshift.io/v1/types.go#L185 - - Each ConfigMap must have a single key named "config" whose value is the YML - with one or more serialized machineconfiguration.openshift.io resources: - - * KubeletConfig - * ContainerRuntimeConfig - * MachineConfig - * ClusterImagePolicy - * ImageContentSourcePolicy - * ImageDigestMirrorSet - - This is validated in the backend and signaled back via validMachineConfig condition. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - management: - description: |- - management specifies behavior for managing nodes in the pool, such as - upgrade strategies and auto-repair behaviors. - properties: - autoRepair: - default: false - description: |- - autoRepair specifies whether health checks should be enabled for machines in the NodePool. The default is false. - Enabling this feature will cause the controller to automatically delete unhealthy machines. - The unhealthy criteria is reserved for the controller implementation and subject to change. - But generally it's determined by checking the Node ready condition is true and a timeout that might vary depending on the platform provider. - AutoRepair will no-op when more than 2 Nodes are unhealthy at the same time. Giving time for the cluster to stabilize or to the user to manually intervene. - type: boolean - inPlace: - description: inPlace is the configuration for in-place upgrades. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - Defaults to 1. - - Example: when this is set to 30%, a max of 30% of the nodes can be made - unschedulable/unavailable immediately when the update starts. Once a set - of nodes is updated, more nodes can be made unschedulable for update, - ensuring that the total number of nodes schedulable at all times during - the update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - replace: - default: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - strategy: RollingUpdate - description: |- - replace is the configuration for rolling upgrades. - It defaults to a RollingUpdate strategy with maxSurge of 1 and maxUnavailable of 0. - properties: - rollingUpdate: - description: |- - rollingUpdate specifies a rolling update strategy which upgrades nodes by - creating new nodes and deleting the old ones. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - maxSurge is the maximum number of nodes that can be provisioned above the - desired number of nodes. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding up. - - This can not be 0 if MaxUnavailable is 0. - - Defaults to 1. - - Example: when this is set to 30%, new nodes can be provisioned immediately - when the rolling update starts, such that the total number of old and new - nodes do not exceed 130% of desired nodes. Once old nodes have been - deleted, new nodes can be provisioned, ensuring that total number of nodes - running at any time during the update is at most 130% of desired nodes. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - This can not be 0 if MaxSurge is 0. - - Defaults to 0. - - Example: when this is set to 30%, old nodes can be deleted down to 70% of - desired nodes immediately when the rolling update starts. Once new nodes - are ready, more old nodes be deleted, followed by provisioning new nodes, - ensuring that the total number of nodes available at all times during the - update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - strategy: - description: |- - strategy is the node replacement strategy for nodes in the pool. - In can be either "RollingUpdate" or "OnDelete". RollingUpdate will rollout Nodes honoring maxSurge and maxUnavailable. - OnDelete provide more granular control and will replace nodes as the old ones are manually deleted. - enum: - - RollingUpdate - - OnDelete - type: string - type: object - x-kubernetes-validations: - - message: The 'rollingUpdate' field can only be set when 'strategy' - is 'RollingUpdate' - rule: '!has(self.rollingUpdate) || self.strategy == ''RollingUpdate''' - upgradeType: - description: |- - upgradeType specifies the type of strategy for handling upgrades. - This can be either "Replace" or "InPlace". - "Replace" will update Nodes by recreating the underlying instances. - "InPlace" will update Nodes by applying changes to the existing instances. This might or might not result in a reboot. - enum: - - Replace - - InPlace - type: string - x-kubernetes-validations: - - message: UpgradeType is immutable - rule: self == oldSelf - required: - - upgradeType - type: object - x-kubernetes-validations: - - message: The 'inPlace' field can only be set when 'upgradeType' - is 'InPlace' - rule: '!has(self.inPlace) || self.upgradeType == ''InPlace''' - nodeDrainTimeout: - description: |- - nodeDrainTimeout is the maximum amount of time that the controller will spend on retrying to drain a node until it succeeds. - The default value is 0, meaning that the node can retry drain without any time limitations. - type: string - nodeLabels: - additionalProperties: - type: string - description: |- - nodeLabels propagates a list of labels to Nodes, only once on creation. - Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - nodeVolumeDetachTimeout: - description: |- - nodeVolumeDetachTimeout is the maximum amount of time that the controller will spend on detaching volumes from a node. - The default value is 0, meaning that the volumes will be detached from the node without any time limitations. - After the timeout, any remaining attached volumes will be ignored and the removal of the machine will continue. - type: string - pausedUntil: - description: |- - pausedUntil is a field that can be used to pause reconciliation on the NodePool controller. Resulting in any change to the NodePool being ignored. - Either a date can be provided in RFC3339 format or a boolean as in 'true', 'false', 'True', 'False'. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - maxLength: 35 - minLength: 1 - type: string - x-kubernetes-validations: - - message: PausedUntil must be a date in RFC3339 format or 'True', - 'true', 'False' or 'false' - rule: self.matches('^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.*$') - || self in ['true', 'false', 'True', 'False'] - platform: - description: |- - platform specifies the underlying infrastructure provider for the NodePool - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies the configuration used when using - Agent platform. - properties: - agentLabelSelector: - description: |- - AgentLabelSelector contains labels that must be set on an Agent in order to - be selected for a Machine. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - aws: - description: AWS specifies the configuration used when operating - on AWS. - properties: - ami: - description: |- - AMI is the image id to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - instanceProfile: - description: InstanceProfile is the AWS EC2 instance profile, - which is a container for an IAM role that the EC2 instance - uses. - type: string - instanceType: - description: InstanceType is an ec2 instance type for node - instances (e.g. m5.large). - type: string - placement: - description: placement specifies the placement options for - the EC2 instances. - properties: - tenancy: - description: |- - Tenancy indicates if instance should run on shared or single-tenant hardware. - - Possible values: - default: NodePool instances run on shared hardware. - dedicated: Each NodePool instance runs on single-tenant hardware. - host: NodePool instances run on user's pre-allocated dedicated hosts. - enum: - - default - - dedicated - - host - type: string - type: object - resourceTags: - description: |- - ResourceTags is an optional list of additional tags to apply to AWS node - instances. - - These will be merged with HostedCluster scoped tags, and HostedCluster tags - take precedence in case of conflicts. - - See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rootVolume: - description: RootVolume specifies configuration for the root - volume of node instances. - properties: - encrypted: - description: Encrypted is whether the volume should be - encrypted or not. - type: boolean - x-kubernetes-validations: - - message: Encrypted is immutable - rule: self == oldSelf - encryptionKey: - description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. - type: string - iops: - description: |- - IOPS is the number of IOPS requested for the disk. This is only valid - for type io1. - format: int64 - type: integer - size: - description: |- - Size specifies size (in Gi) of the storage device. - - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - type: - description: Type is the type of the volume. - type: string - required: - - size - - type - type: object - securityGroups: - description: |- - SecurityGroups is an optional set of security groups to associate with node - instances. - items: - description: |- - AWSResourceReference is a reference to a specific AWS resource by ID or filters. - Only one of ID or Filters may be specified. Specifying more than one will result in - a validation error. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - type: array - subnet: - description: Subnet is the subnet to use for node instances. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names are - case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - x-kubernetes-validations: - - message: subnet is invalid, a valid subnet id or filters - must be set, but not both - rule: 'has(self.id) && self.id.startsWith(''subnet-'') ? - !has(self.filters) : size(self.filters) > 0' - required: - - instanceType - - subnet - type: object - azure: - description: AzureNodePoolPlatform is the platform specific configuration - for an Azure node pool. - properties: - availabilityZone: - description: |- - availabilityZone is the failure domain identifier where the VM should be attached to. This must not be specified - for clusters in a location that does not support AvailabilityZone because it would cause a failure from Azure API. - type: string - diagnostics: - description: |- - diagnostics specifies the diagnostics settings for a virtual machine. - If not specified, then Boot diagnostics will be disabled. - properties: - storageAccountType: - allOf: - - enum: - - Managed - - UserManaged - - Disabled - - enum: - - Managed - - UserManaged - - Disabled - default: Disabled - description: |- - storageAccountType determines if the storage account for storing the diagnostics data - should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). - type: string - userManaged: - description: userManaged specifies the diagnostics settings - for a virtual machine when the storage account is managed - by the user. - properties: - storageAccountURI: - description: |- - storageAccountURI is the URI of the user-managed storage account. - The URI typically will be `https://.blob.core.windows.net/` - but may differ if you are using Azure DNS zone endpoints. - You can find the correct endpoint by looking for the Blob Primary Endpoint in the - endpoints tab in the Azure console or with the CLI by issuing - `az storage account list --query='[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}'`. - maxLength: 1024 - type: string - x-kubernetes-validations: - - message: storageAccountURI must be a valid HTTPS - URL - rule: isURL(self) && url(self).getScheme() == 'https' - required: - - storageAccountURI - type: object - type: object - x-kubernetes-validations: - - message: userManaged is required when storageAccountType - is UserManaged, and forbidden otherwise - rule: 'self.storageAccountType == ''UserManaged'' ? has(self.userManaged) - : !has(self.userManaged)' - encryptionAtHost: - default: Enabled - description: |- - encryptionAtHost enables encryption at host on virtual machines. According to Microsoft documentation, this - means data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. See - https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell - for more information. - enum: - - Enabled - - Disabled - type: string - image: - description: |- - image is used to configure the VM boot image. If unset, the default image at the location below will be used and - is expected to exist: subscription//resourceGroups//providers/Microsoft.Compute/images/rhcos.x86_64.vhd. - The and the are expected to be the same resource group documented in the - Hosted Cluster specification respectively, HostedCluster.Spec.Platform.Azure.SubscriptionID and - HostedCluster.Spec.Platform.Azure.ResourceGroupName. - properties: - azureMarketplace: - description: azureMarketplace contains the Azure Marketplace - image info to use to boot the Azure VMs from. - properties: - offer: - description: offer specifies the name of a group of - related images created by the publisher. - minLength: 1 - type: string - publisher: - description: |- - publisher is the name of the organization that created the image. - It must be between 3 and 50 characters in length, and consist of only lowercase letters, numbers, and hyphens (-) and underscores (_). - It must start with a lowercase letter or a number. - maxLength: 50 - minLength: 3 - pattern: ^[a-z0-9][a-z0-9-_]{2,49}$ - type: string - sku: - description: |- - sku specifies an instance of an offer, such as a major release of a distribution. - For example, 22_04-lts-gen2, 8-lvm-gen2. - The value must consist only of lowercase letters, numbers, and hyphens (-) and underscores (_). - minLength: 1 - pattern: ^[a-z0-9-_]+$ - type: string - version: - description: |- - version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, - Minor, and Build are decimal numbers, e.g. '1.2.0'. Specify 'latest' to use the latest version of an image available at - deployment time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a - new version becomes available. - maxLength: 32 - minLength: 1 - pattern: ^[0-9]+\.[0-9]+\.[0-9]+$|^latest$ - type: string - required: - - offer - - publisher - - sku - - version - type: object - imageID: - description: imageID is the Azure resource ID of a VHD - image to use to boot the Azure VMs from. - type: string - type: - description: |- - type is the type of image data that will be provided to the Azure VM. - Valid values are "ImageID" and "AzureMarketplace". - ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. - AzureMarketplace means the VM will boot from an Azure Marketplace image. - Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. - enum: - - ImageID - - AzureMarketplace - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: imageID is required when type is ImageID, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''ImageID'' ? has(self.imageID) - : !has(self.imageID)' - - message: azureMarketplace is required when type is RequiredMember, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AzureMarketplace'' - ? has(self.azureMarketplace) : !has(self.azureMarketplace)' - machineIdentityID: - description: | - machineIdentityID is a user-assigned identity assigned to the VMs used to authenticate with Azure services. The - identify is expected to exist under the same resource group as HostedCluster.Spec.Platform.Azure.ResourceGroupName. This - user assigned identity is expected to have the Contributor role assigned to it and scoped to the resource group - under HostedCluster.Spec.Platform.Azure.ResourceGroupName. - - If this field is not supplied, the Service Principal credentials will be written to a file on the disk of each VM - in order to be accessible by the cloud provider; the aforementioned credentials provided are the same ones as - HostedCluster.Spec.Platform.Azure.Credentials. However, this is less secure than using a managed identity. - type: string - osDisk: - description: |- - osDisk provides configuration for the OS disk for the nodepool. - This can be used to configure the size, storage account type, encryption options and whether the disk is persistent or ephemeral. - When not provided, the platform will choose reasonable defaults which are subject to change over time. - Review the fields within the osDisk for more details. - properties: - diskStorageAccountType: - description: |- - storageAccountType is the disk storage account type to use. - Valid values are Standard, StandardSSD, PremiumSSD and UltraSSD and omitted. - Note that Standard means a HDD. - The disk performance is tied to the disk type, please refer to the Azure documentation for further details - https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison. - When omitted this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is PremiumSSD. - enum: - - Standard - - StandardSSD - - PremiumSSD - - UltraSSD - type: string - encryptionSetID: - description: |- - encryptionSetID is the ID of the DiskEncryptionSet resource to use to encrypt the OS disks for the VMs. - Configuring a DiskEncyptionSet allows greater control over the encryption of the VM OS disk at rest. - Can be used with either platform (Azure) managed, or customer managed encryption keys. - This needs to exist in the same subscription id listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.SubscriptionID. - DiskEncryptionSetID should also exist in a resource group under the same subscription id and the same location - listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.Location. - The encryptionSetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The resourceName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores. - maxLength: 285 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}` - rule: size(self.split('/')) == 9 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Compute/diskEncryptionSets/.*$') - - message: The resourceGroupName should be between 1 and - 90 characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the encryptionSetID - must not end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The resourceName should be between 1 and 80 - characters, consisting only of alphanumeric characters, - hyphens and underscores - rule: self.split('/')[8].matches('[a-zA-Z0-9-_]{1,80}') - persistence: - description: |- - persistence determines whether the OS disk should be persisted beyond the life of the VM. - Valid values are Persistent and Ephemeral. - When set to Ephmeral, the OS disk will not be persisted to Azure storage and implies restrictions to the VM size and caching type. - Full details can be found in the Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks. - Ephmeral disks are primarily used for stateless applications, provide lower latency than Persistent disks and also incur no storage costs. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - enum: - - Persistent - - Ephemeral - type: string - sizeGiB: - description: |- - SizeGiB is the size in GiB (1024^3 bytes) to assign to the OS disk. - This should be between 16 and 65,536 when using the UltraSSD storage account type and between 16 and 32,767 when using any other storage account type. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 30. - format: int32 - maximum: 65536 - minimum: 16 - type: integer - type: object - x-kubernetes-validations: - - message: When not using storageAccountType UltraSSD, the - SizeGB value must be less than or equal to 32,767 - rule: '!has(self.diskStorageAccountType) || self.diskStorageAccountType - != ''UltraSSD'' || self.sizeGiB <= 32767' - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - vmSize: - description: |- - vmSize is the Azure VM instance type to use for the nodes being created in the nodepool. - The size naming convention is documented here https://learn.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions. - Size names should start with a Family name, which is represented by one of more capital letters, and then be followed by the CPU count. - This is followed by 0 or more additional features, represented by a, b, d, i, l, m, p, t, s, C, and NP, refer to the Azure documentation for an explanation of these features. - Optionally an accelerator such as a GPU can be added, prefixed by an underscore, for example A100, H100 or MI300X. - The size may also be versioned, in which case it should be suffixed with _v where the version is a number. - For example, "D32ads_v5" would be a suitable general purpose VM size, or "ND96_MI300X_v5" would represent a GPU accelerated VM. - pattern: ^(Standard_|Basic_)?[A-Z]+[0-9]+(-[0-9]+)?[abdilmptsCNP]*(_[A-Z]*[0-9]+[A-Z]*)?(_v[0-9]+)?$ - type: string - required: - - image - - osDisk - - subnetID - - vmSize - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: Kubevirt specifies the configuration used when operating - on KubeVirt platform. - properties: - additionalNetworks: - description: AdditionalNetworks specify the extra networks - attached to the nodes - items: - description: |- - KubevirtNetwork specifies the configuration for a virtual machine - network interface - properties: - name: - description: |- - Name specify the network attached to the nodes - it is a value with the format "[namespace]/[name]" to reference the - multus network attachment definition - type: string - required: - - name - type: object - type: array - attachDefaultNetwork: - default: true - description: |- - AttachDefaultNetwork specify if the default pod network should be attached to the nodes - this can only be set to false if AdditionalNetworks are configured - type: boolean - compute: - default: - cores: 2 - memory: 8Gi - description: Compute contains values representing the virtual - hardware requested for the VM - properties: - cores: - default: 2 - description: Cores represents how many cores the guest - VM should have - format: int32 - type: integer - memory: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Memory represents how much guest memory the - VM should have - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - qosClass: - default: Burstable - description: |- - QosClass If set to "Guaranteed", requests the scheduler to place the VirtualMachineInstance on a node with - limit memory and CPU, equal to be the requested values, to set the VMI as a Guaranteed QoS Class; - See here for more details: - https://kubevirt.io/user-guide/operations/node_overcommit/#requesting-the-right-qos-class-for-virtualmachineinstances - enum: - - Burstable - - Guaranteed - type: string - type: object - hostDevices: - description: |- - KubevirtHostDevices specifies the host devices (e.g. GPU devices) to be passed - from the management cluster, to the nodepool nodes - items: - properties: - count: - default: 1 - description: |- - Count is the number of instances the specified host device will be attached to each of the - NodePool's nodes. Default is 1. - minimum: 1 - type: integer - deviceName: - description: |- - DeviceName is the name of the host device that is desired to be utilized in the HostedCluster's NodePool - The device can be any supported PCI device, including GPU, either as a passthrough or a vGPU slice. - type: string - required: - - deviceName - type: object - type: array - networkInterfaceMultiqueue: - default: Enable - description: |- - NetworkInterfaceMultiQueue If set to "Enable", virtual network interfaces configured with a virtio bus will also - enable the vhost multiqueue feature for network devices. The number of queues created depends on additional - factors of the VirtualMachineInstance, like the number of guest CPUs. - enum: - - Enable - - Disable - type: string - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the kubevirt VirtualMachine to fit on a node. - Selector which must match a node's labels for the VM to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - rootVolume: - default: - persistent: - size: 32Gi - type: Persistent - description: RootVolume represents values associated with - the VM volume that will host rhcos - properties: - cacheStrategy: - description: CacheStrategy defines the boot image caching - strategy. Default - no caching - properties: - type: - default: None - description: Type is the type of the caching strategy - enum: - - None - - PVC - type: string - required: - - type - type: object - diskImage: - description: Image represents what rhcos image to use - for the node pool - properties: - containerDiskImage: - description: ContainerDiskImage is a string representing - the container image that holds the root disk - type: string - type: object - persistent: - description: |- - Persistent volume type means the VM's storage is backed by a PVC - VMs that use persistent volumes can survive disruption events like restart and eviction - This is the default type used when no storage type is defined. - properties: - accessModes: - description: |- - AccessModes is an array that contains the desired Access Modes the root volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes - items: - enum: - - ReadWriteOnce - - ReadWriteMany - - ReadOnly - - ReadWriteOncePod - type: string - type: array - size: - anyOf: - - type: integer - - type: string - default: 32Gi - description: Size is the size of the persistent storage - volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - storageClass: - description: StorageClass is the storageClass used - for the underlying PVC that hosts the volume - type: string - volumeMode: - description: |- - VolumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - enum: - - Filesystem - - Block - type: string - type: object - type: - default: Persistent - description: Type represents the type of storage to associate - with the kubevirt VMs. - enum: - - Persistent - type: string - type: object - required: - - rootVolume - type: object - powervs: - description: PowerVS specifies the configuration used when using - IBMCloud PowerVS platform. - properties: - image: - description: |- - Image used for deploying the nodes. If unspecified, the default - is chosen based on the NodePool release payload image. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - imageDeletePolicy: - default: delete - description: |- - ImageDeletePolicy is policy for the image deletion. - - delete: delete the image from the infrastructure. - retain: delete the image from the openshift but retain in the infrastructure. - - The default is delete - enum: - - delete - - retain - type: string - memoryGiB: - default: 32 - description: |- - MemoryGiB is the size of a virtual machine's memory, in GiB. - maximum value for the MemoryGiB depends on the selected SystemType. - when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. - when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. - when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. - The minimum memory is 32 GiB. - - When omitted, this means the user has no opinion and the platform is left to choose a reasonable - default. The current default is 32. - format: int32 - type: integer - processorType: - default: shared - description: |- - ProcessorType is the VM instance processor type. - It must be set to one of the following values: Dedicated, Capped or Shared. - - Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. - Shared: Shared among other clients. - Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. - - if the processorType is selected as Dedicated, then Processors value cannot be fractional. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is shared. - enum: - - dedicated - - shared - - capped - type: string - processors: - anyOf: - - type: integer - - type: string - default: "0.5" - description: |- - Processors is the number of virtual processors in a virtual machine. - when the processorType is selected as Dedicated the processors value cannot be fractional. - maximum value for the Processors depends on the selected SystemType. - when SystemType is set to e880 or e980 maximum Processors value is 143. - when SystemType is set to s922 maximum Processors value is 15. - minimum value for Processors depends on the selected ProcessorType. - when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. - when ProcessorType is set as Dedicated, The minimum processors is 1. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The default is set based on the selected ProcessorType. - when ProcessorType selected as Dedicated, the default is set to 1. - when ProcessorType selected as Shared or Capped, the default is set to 0.5. - x-kubernetes-int-or-string: true - storageType: - default: tier1 - description: |- - StorageType for the image and nodes, this will be ignored if Image is specified. - The storage tiers in PowerVS are based on I/O operations per second (IOPS). - It means that the performance of your storage volumes is limited to the maximum number of IOPS based on volume size and storage tier. - Although, the exact numbers might change over time, the Tier 3 storage is currently set to 3 IOPS/GB, and the Tier 1 storage is currently set to 10 IOPS/GB. - - The default is tier1 - enum: - - tier1 - - tier3 - type: string - systemType: - default: s922 - description: |- - SystemType is the System type used to host the instance. - systemType determines the number of cores and memory that is available. - Few of the supported SystemTypes are s922,e880,e980. - e880 systemType available only in Dallas Datacenters. - e980 systemType available in Datacenters except Dallas and Washington. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is s922 which is generally available. - type: string - type: object - type: - description: Type specifies the platform name. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - release: - description: |- - release specifies the OCP release used for the NodePool. This informs the - ignition configuration for machines which includes the kubelet version, as well as other platform specific - machine properties (e.g. an AMI on the AWS platform). - It's not supported to use a release in a NodePool which minor version skew against the Control Plane release is bigger than N-2. Although there's no enforcement that prevents this from happening. - Attempting to use a release with a bigger skew might result in unpredictable behaviour. - Attempting to use a release higher than the HosterCluster one will result in the NodePool being degraded and the ValidReleaseImage condition being false. - Attempting to use a release lower than the current NodePool y-stream will result in the NodePool being degraded and the ValidReleaseImage condition being false. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - replicas: - description: |- - replicas is the desired number of nodes the pool should maintain. If unset, the controller default value is 0. - replicas is mutually exclusive with autoscaling. If autoscaling is configured, replicas must be omitted and autoscaling will control the NodePool size internally. - format: int32 - type: integer - taints: - description: |- - taints if specified, propagates a list of taints to Nodes, only once on creation. - These taints are additive to the ones applied by other controllers - items: - description: |- - taint is as v1 Core but without TimeAdded. - https://github.com/kubernetes/kubernetes/blob/ed8cad1e80d096257921908a52ac69cf1f41a098/staging/src/k8s.io/api/core/v1/types.go#L3037-L3053 - Validation replicates the same validation as the upstream https://github.com/kubernetes/kubernetes/blob/9a2a7537f035969a68e432b4cc276dbce8ce1735/pkg/util/taints/taints.go#L273. - See also https://kubernetes.io/docs/concepts/overview/working-with-objects/names/. - properties: - effect: - description: |- - effect is the effect of the taint on pods - that do not tolerate the taint. - Valid effects are NoSchedule, PreferNoSchedule and NoExecute. - enum: - - NoSchedule - - PreferNoSchedule - - NoExecute - type: string - key: - description: key is the taint key to be applied to a node. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must be a qualified name with an optional subdomain - prefix e.g. example.com/MyName - rule: self.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/)?[A-Za-z0-9]([-A-Za-z0-9_.]{0,61}[A-Za-z0-9])?$') - value: - description: value is the taint value corresponding to the taint - key. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: Value must start and end with alphanumeric characters - and can only contain '-', '_', '.' in the middle - rule: self.matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$') - required: - - effect - - key - type: object - maxItems: 50 - type: array - tuningConfig: - description: |- - tuningConfig is a list of references to ConfigMaps containing serialized - Tuned or PerformanceProfile resources to define the tuning configuration to be applied to - nodes in the NodePool. The Tuned API is defined here: - - https://github.com/openshift/cluster-node-tuning-operator/blob/2c76314fb3cc8f12aef4a0dcd67ddc3677d5b54f/pkg/apis/tuned/v1/tuned_types.go - - The PerformanceProfile API is defined here: - https://github.com/openshift/cluster-node-tuning-operator/tree/b41042d42d4ba5bb2e99960248cf1d6ae4935018/pkg/apis/performanceprofile/v2 - - Each ConfigMap must have a single key named "tuning" whose value is the - JSON or YAML of a serialized Tuned or PerformanceProfile. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - required: - - clusterName - - management - - platform - - release - type: object - x-kubernetes-validations: - - message: Arch is required once set - rule: '!has(oldSelf.arch) || has(self.arch)' - - message: Setting Arch to arm64 is only supported for AWS and Azure - rule: self.arch != 'arm64' || has(self.platform.aws) || has(self.platform.azure) - - message: Both replicas or autoScaling should not be set - rule: '!has(self.replicas) || !has(self.autoScaling)' - status: - description: Status is the latest observed status of the NodePool. - properties: - conditions: - description: |- - Conditions represents the latest available observations of the node pool's - current state. - items: - description: |- - We define our own condition type since metav1.Condition has validation - for Reason that might be broken by what we bubble up from CAPI. - NodePoolCondition defines an observation of NodePool resource operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - observedGeneration: - format: int64 - minimum: 0 - type: integer - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may not be empty. - type: string - severity: - description: |- - Severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: |- - Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - platform: - description: Platform hols the specific statuses - properties: - kubeVirt: - description: KubeVirt contains the KubeVirt platform statuses - properties: - cacheName: - description: CacheName holds the name of the cache DataVolume, - if exists - type: string - credentials: - description: |- - Credentials shows the client credentials used when creating KubeVirt virtual machines. - This filed is only exists when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - type: object - type: object - replicas: - description: Replicas is the latest observed number of nodes in the - pool. - format: int32 - type: integer - version: - description: |- - Version is the semantic version of the latest applied release specified by - the NodePool. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/OpenStack.yaml b/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/OpenStack.yaml deleted file mode 100644 index 486121cacbe..00000000000 --- a/api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/nodepools.hypershift.openshift.io/OpenStack.yaml +++ /dev/null @@ -1,1462 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - feature-gate.release.openshift.io/OpenStack: "true" - name: nodepools.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: NodePool - listKind: NodePoolList - plural: nodepools - shortNames: - - np - - nps - singular: nodepool - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster - jsonPath: .spec.clusterName - name: Cluster - type: string - - description: Desired Nodes - jsonPath: .spec.replicas - name: Desired Nodes - type: integer - - description: Available Nodes - jsonPath: .status.replicas - name: Current Nodes - type: integer - - description: Autoscaling Enabled - jsonPath: .status.conditions[?(@.type=="AutoscalingEnabled")].status - name: Autoscaling - type: string - - description: Node Autorepair Enabled - jsonPath: .status.conditions[?(@.type=="AutorepairEnabled")].status - name: Autorepair - type: string - - description: Current version - jsonPath: .status.version - name: Version - type: string - - description: UpdatingVersion in progress - jsonPath: .status.conditions[?(@.type=="UpdatingVersion")].status - name: UpdatingVersion - type: string - - description: UpdatingConfig in progress - jsonPath: .status.conditions[?(@.type=="UpdatingConfig")].status - name: UpdatingConfig - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - NodePool is a scalable set of worker nodes attached to a HostedCluster. - NodePool machine architectures are uniform within a given pool, and are - independent of the control plane’s underlying machine architecture. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the NodePool. - properties: - arch: - default: amd64 - description: "arch is the preferred processor architecture for the - NodePool. Different platforms might have different supported architectures.\n\thttps://github.com/kubernetes/kubernetes/issues/108768#issuecomment-1253912215" - enum: - - arm64 - - amd64 - - ppc64le - type: string - x-kubernetes-validations: - - message: Arch is immutable - rule: self == oldSelf - autoScaling: - description: |- - autoscaling specifies auto-scaling behavior for the NodePool. - autoscaling is mutually exclusive with replicas. If replicas is set, this field must be ommited. - properties: - max: - description: Max is the maximum number of nodes allowed in the - pool. Must be >= 1 and >= Min. - format: int32 - minimum: 1 - type: integer - min: - description: Min is the minimum number of nodes to maintain in - the pool. Must be >= 1 and <= .Max. - format: int32 - minimum: 1 - type: integer - required: - - max - - min - type: object - x-kubernetes-validations: - - message: max must be equal or greater than min - rule: self.max >= self.min - clusterName: - description: |- - clusterName is the name of the HostedCluster this NodePool belongs to. - If a HostedCluster with this name doesn't exist, the controller will no-op until it exists. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: ClusterName is immutable - rule: self == oldSelf - - message: clusterName must consist of lowercase alphanumeric characters - or '-', start and end with an alphanumeric character, and be between - 1 and 253 characters - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') - config: - description: |- - config is a list of references to ConfigMaps containing serialized - MachineConfig resources to be injected into the ignition configurations of - nodes in the NodePool. The MachineConfig API schema is defined here: - - https://github.com/openshift/machine-config-operator/blob/18963e4f8fe66e8c513ca4b131620760a414997f/pkg/apis/machineconfiguration.openshift.io/v1/types.go#L185 - - Each ConfigMap must have a single key named "config" whose value is the YML - with one or more serialized machineconfiguration.openshift.io resources: - - * KubeletConfig - * ContainerRuntimeConfig - * MachineConfig - * ClusterImagePolicy - * ImageContentSourcePolicy - * ImageDigestMirrorSet - - This is validated in the backend and signaled back via validMachineConfig condition. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - management: - description: |- - management specifies behavior for managing nodes in the pool, such as - upgrade strategies and auto-repair behaviors. - properties: - autoRepair: - default: false - description: |- - autoRepair specifies whether health checks should be enabled for machines in the NodePool. The default is false. - Enabling this feature will cause the controller to automatically delete unhealthy machines. - The unhealthy criteria is reserved for the controller implementation and subject to change. - But generally it's determined by checking the Node ready condition is true and a timeout that might vary depending on the platform provider. - AutoRepair will no-op when more than 2 Nodes are unhealthy at the same time. Giving time for the cluster to stabilize or to the user to manually intervene. - type: boolean - inPlace: - description: inPlace is the configuration for in-place upgrades. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - Defaults to 1. - - Example: when this is set to 30%, a max of 30% of the nodes can be made - unschedulable/unavailable immediately when the update starts. Once a set - of nodes is updated, more nodes can be made unschedulable for update, - ensuring that the total number of nodes schedulable at all times during - the update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - replace: - default: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - strategy: RollingUpdate - description: |- - replace is the configuration for rolling upgrades. - It defaults to a RollingUpdate strategy with maxSurge of 1 and maxUnavailable of 0. - properties: - rollingUpdate: - description: |- - rollingUpdate specifies a rolling update strategy which upgrades nodes by - creating new nodes and deleting the old ones. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - maxSurge is the maximum number of nodes that can be provisioned above the - desired number of nodes. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding up. - - This can not be 0 if MaxUnavailable is 0. - - Defaults to 1. - - Example: when this is set to 30%, new nodes can be provisioned immediately - when the rolling update starts, such that the total number of old and new - nodes do not exceed 130% of desired nodes. Once old nodes have been - deleted, new nodes can be provisioned, ensuring that total number of nodes - running at any time during the update is at most 130% of desired nodes. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - This can not be 0 if MaxSurge is 0. - - Defaults to 0. - - Example: when this is set to 30%, old nodes can be deleted down to 70% of - desired nodes immediately when the rolling update starts. Once new nodes - are ready, more old nodes be deleted, followed by provisioning new nodes, - ensuring that the total number of nodes available at all times during the - update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - strategy: - description: |- - strategy is the node replacement strategy for nodes in the pool. - In can be either "RollingUpdate" or "OnDelete". RollingUpdate will rollout Nodes honoring maxSurge and maxUnavailable. - OnDelete provide more granular control and will replace nodes as the old ones are manually deleted. - enum: - - RollingUpdate - - OnDelete - type: string - type: object - x-kubernetes-validations: - - message: The 'rollingUpdate' field can only be set when 'strategy' - is 'RollingUpdate' - rule: '!has(self.rollingUpdate) || self.strategy == ''RollingUpdate''' - upgradeType: - description: |- - upgradeType specifies the type of strategy for handling upgrades. - This can be either "Replace" or "InPlace". - "Replace" will update Nodes by recreating the underlying instances. - "InPlace" will update Nodes by applying changes to the existing instances. This might or might not result in a reboot. - enum: - - Replace - - InPlace - type: string - x-kubernetes-validations: - - message: UpgradeType is immutable - rule: self == oldSelf - required: - - upgradeType - type: object - x-kubernetes-validations: - - message: The 'inPlace' field can only be set when 'upgradeType' - is 'InPlace' - rule: '!has(self.inPlace) || self.upgradeType == ''InPlace''' - nodeDrainTimeout: - description: |- - nodeDrainTimeout is the maximum amount of time that the controller will spend on retrying to drain a node until it succeeds. - The default value is 0, meaning that the node can retry drain without any time limitations. - type: string - nodeLabels: - additionalProperties: - type: string - description: |- - nodeLabels propagates a list of labels to Nodes, only once on creation. - Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - nodeVolumeDetachTimeout: - description: |- - nodeVolumeDetachTimeout is the maximum amount of time that the controller will spend on detaching volumes from a node. - The default value is 0, meaning that the volumes will be detached from the node without any time limitations. - After the timeout, any remaining attached volumes will be ignored and the removal of the machine will continue. - type: string - pausedUntil: - description: |- - pausedUntil is a field that can be used to pause reconciliation on the NodePool controller. Resulting in any change to the NodePool being ignored. - Either a date can be provided in RFC3339 format or a boolean as in 'true', 'false', 'True', 'False'. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - maxLength: 35 - minLength: 1 - type: string - x-kubernetes-validations: - - message: PausedUntil must be a date in RFC3339 format or 'True', - 'true', 'False' or 'false' - rule: self.matches('^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.*$') - || self in ['true', 'false', 'True', 'False'] - platform: - description: |- - platform specifies the underlying infrastructure provider for the NodePool - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies the configuration used when using - Agent platform. - properties: - agentLabelSelector: - description: |- - AgentLabelSelector contains labels that must be set on an Agent in order to - be selected for a Machine. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - aws: - description: AWS specifies the configuration used when operating - on AWS. - properties: - ami: - description: |- - AMI is the image id to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - instanceProfile: - description: InstanceProfile is the AWS EC2 instance profile, - which is a container for an IAM role that the EC2 instance - uses. - type: string - instanceType: - description: InstanceType is an ec2 instance type for node - instances (e.g. m5.large). - type: string - placement: - description: placement specifies the placement options for - the EC2 instances. - properties: - tenancy: - description: |- - Tenancy indicates if instance should run on shared or single-tenant hardware. - - Possible values: - default: NodePool instances run on shared hardware. - dedicated: Each NodePool instance runs on single-tenant hardware. - host: NodePool instances run on user's pre-allocated dedicated hosts. - enum: - - default - - dedicated - - host - type: string - type: object - resourceTags: - description: |- - ResourceTags is an optional list of additional tags to apply to AWS node - instances. - - These will be merged with HostedCluster scoped tags, and HostedCluster tags - take precedence in case of conflicts. - - See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rootVolume: - description: RootVolume specifies configuration for the root - volume of node instances. - properties: - encrypted: - description: Encrypted is whether the volume should be - encrypted or not. - type: boolean - x-kubernetes-validations: - - message: Encrypted is immutable - rule: self == oldSelf - encryptionKey: - description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. - type: string - iops: - description: |- - IOPS is the number of IOPS requested for the disk. This is only valid - for type io1. - format: int64 - type: integer - size: - description: |- - Size specifies size (in Gi) of the storage device. - - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - type: - description: Type is the type of the volume. - type: string - required: - - size - - type - type: object - securityGroups: - description: |- - SecurityGroups is an optional set of security groups to associate with node - instances. - items: - description: |- - AWSResourceReference is a reference to a specific AWS resource by ID or filters. - Only one of ID or Filters may be specified. Specifying more than one will result in - a validation error. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - type: array - subnet: - description: Subnet is the subnet to use for node instances. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names are - case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - x-kubernetes-validations: - - message: subnet is invalid, a valid subnet id or filters - must be set, but not both - rule: 'has(self.id) && self.id.startsWith(''subnet-'') ? - !has(self.filters) : size(self.filters) > 0' - required: - - instanceType - - subnet - type: object - azure: - description: AzureNodePoolPlatform is the platform specific configuration - for an Azure node pool. - properties: - availabilityZone: - description: |- - availabilityZone is the failure domain identifier where the VM should be attached to. This must not be specified - for clusters in a location that does not support AvailabilityZone because it would cause a failure from Azure API. - type: string - diagnostics: - description: |- - diagnostics specifies the diagnostics settings for a virtual machine. - If not specified, then Boot diagnostics will be disabled. - properties: - storageAccountType: - allOf: - - enum: - - Managed - - UserManaged - - Disabled - - enum: - - Managed - - UserManaged - - Disabled - default: Disabled - description: |- - storageAccountType determines if the storage account for storing the diagnostics data - should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). - type: string - userManaged: - description: userManaged specifies the diagnostics settings - for a virtual machine when the storage account is managed - by the user. - properties: - storageAccountURI: - description: |- - storageAccountURI is the URI of the user-managed storage account. - The URI typically will be `https://.blob.core.windows.net/` - but may differ if you are using Azure DNS zone endpoints. - You can find the correct endpoint by looking for the Blob Primary Endpoint in the - endpoints tab in the Azure console or with the CLI by issuing - `az storage account list --query='[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}'`. - maxLength: 1024 - type: string - x-kubernetes-validations: - - message: storageAccountURI must be a valid HTTPS - URL - rule: isURL(self) && url(self).getScheme() == 'https' - required: - - storageAccountURI - type: object - type: object - x-kubernetes-validations: - - message: userManaged is required when storageAccountType - is UserManaged, and forbidden otherwise - rule: 'self.storageAccountType == ''UserManaged'' ? has(self.userManaged) - : !has(self.userManaged)' - encryptionAtHost: - default: Enabled - description: |- - encryptionAtHost enables encryption at host on virtual machines. According to Microsoft documentation, this - means data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. See - https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell - for more information. - enum: - - Enabled - - Disabled - type: string - image: - description: |- - image is used to configure the VM boot image. If unset, the default image at the location below will be used and - is expected to exist: subscription//resourceGroups//providers/Microsoft.Compute/images/rhcos.x86_64.vhd. - The and the are expected to be the same resource group documented in the - Hosted Cluster specification respectively, HostedCluster.Spec.Platform.Azure.SubscriptionID and - HostedCluster.Spec.Platform.Azure.ResourceGroupName. - properties: - azureMarketplace: - description: azureMarketplace contains the Azure Marketplace - image info to use to boot the Azure VMs from. - properties: - offer: - description: offer specifies the name of a group of - related images created by the publisher. - minLength: 1 - type: string - publisher: - description: |- - publisher is the name of the organization that created the image. - It must be between 3 and 50 characters in length, and consist of only lowercase letters, numbers, and hyphens (-) and underscores (_). - It must start with a lowercase letter or a number. - maxLength: 50 - minLength: 3 - pattern: ^[a-z0-9][a-z0-9-_]{2,49}$ - type: string - sku: - description: |- - sku specifies an instance of an offer, such as a major release of a distribution. - For example, 22_04-lts-gen2, 8-lvm-gen2. - The value must consist only of lowercase letters, numbers, and hyphens (-) and underscores (_). - minLength: 1 - pattern: ^[a-z0-9-_]+$ - type: string - version: - description: |- - version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, - Minor, and Build are decimal numbers, e.g. '1.2.0'. Specify 'latest' to use the latest version of an image available at - deployment time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a - new version becomes available. - maxLength: 32 - minLength: 1 - pattern: ^[0-9]+\.[0-9]+\.[0-9]+$|^latest$ - type: string - required: - - offer - - publisher - - sku - - version - type: object - imageID: - description: imageID is the Azure resource ID of a VHD - image to use to boot the Azure VMs from. - type: string - type: - description: |- - type is the type of image data that will be provided to the Azure VM. - Valid values are "ImageID" and "AzureMarketplace". - ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. - AzureMarketplace means the VM will boot from an Azure Marketplace image. - Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. - enum: - - ImageID - - AzureMarketplace - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: imageID is required when type is ImageID, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''ImageID'' ? has(self.imageID) - : !has(self.imageID)' - - message: azureMarketplace is required when type is RequiredMember, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AzureMarketplace'' - ? has(self.azureMarketplace) : !has(self.azureMarketplace)' - machineIdentityID: - description: | - machineIdentityID is a user-assigned identity assigned to the VMs used to authenticate with Azure services. The - identify is expected to exist under the same resource group as HostedCluster.Spec.Platform.Azure.ResourceGroupName. This - user assigned identity is expected to have the Contributor role assigned to it and scoped to the resource group - under HostedCluster.Spec.Platform.Azure.ResourceGroupName. - - If this field is not supplied, the Service Principal credentials will be written to a file on the disk of each VM - in order to be accessible by the cloud provider; the aforementioned credentials provided are the same ones as - HostedCluster.Spec.Platform.Azure.Credentials. However, this is less secure than using a managed identity. - type: string - osDisk: - description: |- - osDisk provides configuration for the OS disk for the nodepool. - This can be used to configure the size, storage account type, encryption options and whether the disk is persistent or ephemeral. - When not provided, the platform will choose reasonable defaults which are subject to change over time. - Review the fields within the osDisk for more details. - properties: - diskStorageAccountType: - description: |- - storageAccountType is the disk storage account type to use. - Valid values are Standard, StandardSSD, PremiumSSD and UltraSSD and omitted. - Note that Standard means a HDD. - The disk performance is tied to the disk type, please refer to the Azure documentation for further details - https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison. - When omitted this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is PremiumSSD. - enum: - - Standard - - StandardSSD - - PremiumSSD - - UltraSSD - type: string - encryptionSetID: - description: |- - encryptionSetID is the ID of the DiskEncryptionSet resource to use to encrypt the OS disks for the VMs. - Configuring a DiskEncyptionSet allows greater control over the encryption of the VM OS disk at rest. - Can be used with either platform (Azure) managed, or customer managed encryption keys. - This needs to exist in the same subscription id listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.SubscriptionID. - DiskEncryptionSetID should also exist in a resource group under the same subscription id and the same location - listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.Location. - The encryptionSetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The resourceName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores. - maxLength: 285 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}` - rule: size(self.split('/')) == 9 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Compute/diskEncryptionSets/.*$') - - message: The resourceGroupName should be between 1 and - 90 characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the encryptionSetID - must not end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The resourceName should be between 1 and 80 - characters, consisting only of alphanumeric characters, - hyphens and underscores - rule: self.split('/')[8].matches('[a-zA-Z0-9-_]{1,80}') - persistence: - description: |- - persistence determines whether the OS disk should be persisted beyond the life of the VM. - Valid values are Persistent and Ephemeral. - When set to Ephmeral, the OS disk will not be persisted to Azure storage and implies restrictions to the VM size and caching type. - Full details can be found in the Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks. - Ephmeral disks are primarily used for stateless applications, provide lower latency than Persistent disks and also incur no storage costs. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - enum: - - Persistent - - Ephemeral - type: string - sizeGiB: - description: |- - SizeGiB is the size in GiB (1024^3 bytes) to assign to the OS disk. - This should be between 16 and 65,536 when using the UltraSSD storage account type and between 16 and 32,767 when using any other storage account type. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 30. - format: int32 - maximum: 65536 - minimum: 16 - type: integer - type: object - x-kubernetes-validations: - - message: When not using storageAccountType UltraSSD, the - SizeGB value must be less than or equal to 32,767 - rule: '!has(self.diskStorageAccountType) || self.diskStorageAccountType - != ''UltraSSD'' || self.sizeGiB <= 32767' - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - vmSize: - description: |- - vmSize is the Azure VM instance type to use for the nodes being created in the nodepool. - The size naming convention is documented here https://learn.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions. - Size names should start with a Family name, which is represented by one of more capital letters, and then be followed by the CPU count. - This is followed by 0 or more additional features, represented by a, b, d, i, l, m, p, t, s, C, and NP, refer to the Azure documentation for an explanation of these features. - Optionally an accelerator such as a GPU can be added, prefixed by an underscore, for example A100, H100 or MI300X. - The size may also be versioned, in which case it should be suffixed with _v where the version is a number. - For example, "D32ads_v5" would be a suitable general purpose VM size, or "ND96_MI300X_v5" would represent a GPU accelerated VM. - pattern: ^(Standard_|Basic_)?[A-Z]+[0-9]+(-[0-9]+)?[abdilmptsCNP]*(_[A-Z]*[0-9]+[A-Z]*)?(_v[0-9]+)?$ - type: string - required: - - image - - osDisk - - subnetID - - vmSize - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: Kubevirt specifies the configuration used when operating - on KubeVirt platform. - properties: - additionalNetworks: - description: AdditionalNetworks specify the extra networks - attached to the nodes - items: - description: |- - KubevirtNetwork specifies the configuration for a virtual machine - network interface - properties: - name: - description: |- - Name specify the network attached to the nodes - it is a value with the format "[namespace]/[name]" to reference the - multus network attachment definition - type: string - required: - - name - type: object - type: array - attachDefaultNetwork: - default: true - description: |- - AttachDefaultNetwork specify if the default pod network should be attached to the nodes - this can only be set to false if AdditionalNetworks are configured - type: boolean - compute: - default: - cores: 2 - memory: 8Gi - description: Compute contains values representing the virtual - hardware requested for the VM - properties: - cores: - default: 2 - description: Cores represents how many cores the guest - VM should have - format: int32 - type: integer - memory: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Memory represents how much guest memory the - VM should have - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - qosClass: - default: Burstable - description: |- - QosClass If set to "Guaranteed", requests the scheduler to place the VirtualMachineInstance on a node with - limit memory and CPU, equal to be the requested values, to set the VMI as a Guaranteed QoS Class; - See here for more details: - https://kubevirt.io/user-guide/operations/node_overcommit/#requesting-the-right-qos-class-for-virtualmachineinstances - enum: - - Burstable - - Guaranteed - type: string - type: object - hostDevices: - description: |- - KubevirtHostDevices specifies the host devices (e.g. GPU devices) to be passed - from the management cluster, to the nodepool nodes - items: - properties: - count: - default: 1 - description: |- - Count is the number of instances the specified host device will be attached to each of the - NodePool's nodes. Default is 1. - minimum: 1 - type: integer - deviceName: - description: |- - DeviceName is the name of the host device that is desired to be utilized in the HostedCluster's NodePool - The device can be any supported PCI device, including GPU, either as a passthrough or a vGPU slice. - type: string - required: - - deviceName - type: object - type: array - networkInterfaceMultiqueue: - default: Enable - description: |- - NetworkInterfaceMultiQueue If set to "Enable", virtual network interfaces configured with a virtio bus will also - enable the vhost multiqueue feature for network devices. The number of queues created depends on additional - factors of the VirtualMachineInstance, like the number of guest CPUs. - enum: - - Enable - - Disable - type: string - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the kubevirt VirtualMachine to fit on a node. - Selector which must match a node's labels for the VM to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - rootVolume: - default: - persistent: - size: 32Gi - type: Persistent - description: RootVolume represents values associated with - the VM volume that will host rhcos - properties: - cacheStrategy: - description: CacheStrategy defines the boot image caching - strategy. Default - no caching - properties: - type: - default: None - description: Type is the type of the caching strategy - enum: - - None - - PVC - type: string - required: - - type - type: object - diskImage: - description: Image represents what rhcos image to use - for the node pool - properties: - containerDiskImage: - description: ContainerDiskImage is a string representing - the container image that holds the root disk - type: string - type: object - persistent: - description: |- - Persistent volume type means the VM's storage is backed by a PVC - VMs that use persistent volumes can survive disruption events like restart and eviction - This is the default type used when no storage type is defined. - properties: - accessModes: - description: |- - AccessModes is an array that contains the desired Access Modes the root volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes - items: - enum: - - ReadWriteOnce - - ReadWriteMany - - ReadOnly - - ReadWriteOncePod - type: string - type: array - size: - anyOf: - - type: integer - - type: string - default: 32Gi - description: Size is the size of the persistent storage - volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - storageClass: - description: StorageClass is the storageClass used - for the underlying PVC that hosts the volume - type: string - volumeMode: - description: |- - VolumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - enum: - - Filesystem - - Block - type: string - type: object - type: - default: Persistent - description: Type represents the type of storage to associate - with the kubevirt VMs. - enum: - - Persistent - type: string - type: object - required: - - rootVolume - type: object - openstack: - description: OpenStack specifies the configuration used when using - OpenStack platform. - properties: - availabilityZone: - description: |- - availabilityZone is the nova availability zone in which the provider will create the VM. - If not specified, the VM will be created in the default availability zone specified in the nova configuration. - Availability zone names must NOT contain : since it is used by admin users to specify hosts where instances - are launched in server creation. Also, it must not contain spaces otherwise it will lead to node that belongs - to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. - The maximum length of availability zone name is 63 as per labels limits. - maxLength: 63 - minLength: 1 - pattern: '^[^: ]*$' - type: string - flavor: - description: Flavor is the OpenStack flavor to use for the - node instances. - type: string - imageName: - description: |- - ImageName is the OpenStack Glance image name to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - required: - - flavor - type: object - powervs: - description: PowerVS specifies the configuration used when using - IBMCloud PowerVS platform. - properties: - image: - description: |- - Image used for deploying the nodes. If unspecified, the default - is chosen based on the NodePool release payload image. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - imageDeletePolicy: - default: delete - description: |- - ImageDeletePolicy is policy for the image deletion. - - delete: delete the image from the infrastructure. - retain: delete the image from the openshift but retain in the infrastructure. - - The default is delete - enum: - - delete - - retain - type: string - memoryGiB: - default: 32 - description: |- - MemoryGiB is the size of a virtual machine's memory, in GiB. - maximum value for the MemoryGiB depends on the selected SystemType. - when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. - when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. - when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. - The minimum memory is 32 GiB. - - When omitted, this means the user has no opinion and the platform is left to choose a reasonable - default. The current default is 32. - format: int32 - type: integer - processorType: - default: shared - description: |- - ProcessorType is the VM instance processor type. - It must be set to one of the following values: Dedicated, Capped or Shared. - - Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. - Shared: Shared among other clients. - Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. - - if the processorType is selected as Dedicated, then Processors value cannot be fractional. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is shared. - enum: - - dedicated - - shared - - capped - type: string - processors: - anyOf: - - type: integer - - type: string - default: "0.5" - description: |- - Processors is the number of virtual processors in a virtual machine. - when the processorType is selected as Dedicated the processors value cannot be fractional. - maximum value for the Processors depends on the selected SystemType. - when SystemType is set to e880 or e980 maximum Processors value is 143. - when SystemType is set to s922 maximum Processors value is 15. - minimum value for Processors depends on the selected ProcessorType. - when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. - when ProcessorType is set as Dedicated, The minimum processors is 1. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The default is set based on the selected ProcessorType. - when ProcessorType selected as Dedicated, the default is set to 1. - when ProcessorType selected as Shared or Capped, the default is set to 0.5. - x-kubernetes-int-or-string: true - storageType: - default: tier1 - description: |- - StorageType for the image and nodes, this will be ignored if Image is specified. - The storage tiers in PowerVS are based on I/O operations per second (IOPS). - It means that the performance of your storage volumes is limited to the maximum number of IOPS based on volume size and storage tier. - Although, the exact numbers might change over time, the Tier 3 storage is currently set to 3 IOPS/GB, and the Tier 1 storage is currently set to 10 IOPS/GB. - - The default is tier1 - enum: - - tier1 - - tier3 - type: string - systemType: - default: s922 - description: |- - SystemType is the System type used to host the instance. - systemType determines the number of cores and memory that is available. - Few of the supported SystemTypes are s922,e880,e980. - e880 systemType available only in Dallas Datacenters. - e980 systemType available in Datacenters except Dallas and Washington. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is s922 which is generally available. - type: string - type: object - type: - description: Type specifies the platform name. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - release: - description: |- - release specifies the OCP release used for the NodePool. This informs the - ignition configuration for machines which includes the kubelet version, as well as other platform specific - machine properties (e.g. an AMI on the AWS platform). - It's not supported to use a release in a NodePool which minor version skew against the Control Plane release is bigger than N-2. Although there's no enforcement that prevents this from happening. - Attempting to use a release with a bigger skew might result in unpredictable behaviour. - Attempting to use a release higher than the HosterCluster one will result in the NodePool being degraded and the ValidReleaseImage condition being false. - Attempting to use a release lower than the current NodePool y-stream will result in the NodePool being degraded and the ValidReleaseImage condition being false. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - replicas: - description: |- - replicas is the desired number of nodes the pool should maintain. If unset, the controller default value is 0. - replicas is mutually exclusive with autoscaling. If autoscaling is configured, replicas must be omitted and autoscaling will control the NodePool size internally. - format: int32 - type: integer - taints: - description: |- - taints if specified, propagates a list of taints to Nodes, only once on creation. - These taints are additive to the ones applied by other controllers - items: - description: |- - taint is as v1 Core but without TimeAdded. - https://github.com/kubernetes/kubernetes/blob/ed8cad1e80d096257921908a52ac69cf1f41a098/staging/src/k8s.io/api/core/v1/types.go#L3037-L3053 - Validation replicates the same validation as the upstream https://github.com/kubernetes/kubernetes/blob/9a2a7537f035969a68e432b4cc276dbce8ce1735/pkg/util/taints/taints.go#L273. - See also https://kubernetes.io/docs/concepts/overview/working-with-objects/names/. - properties: - effect: - description: |- - effect is the effect of the taint on pods - that do not tolerate the taint. - Valid effects are NoSchedule, PreferNoSchedule and NoExecute. - enum: - - NoSchedule - - PreferNoSchedule - - NoExecute - type: string - key: - description: key is the taint key to be applied to a node. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must be a qualified name with an optional subdomain - prefix e.g. example.com/MyName - rule: self.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/)?[A-Za-z0-9]([-A-Za-z0-9_.]{0,61}[A-Za-z0-9])?$') - value: - description: value is the taint value corresponding to the taint - key. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: Value must start and end with alphanumeric characters - and can only contain '-', '_', '.' in the middle - rule: self.matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$') - required: - - effect - - key - type: object - maxItems: 50 - type: array - tuningConfig: - description: |- - tuningConfig is a list of references to ConfigMaps containing serialized - Tuned or PerformanceProfile resources to define the tuning configuration to be applied to - nodes in the NodePool. The Tuned API is defined here: - - https://github.com/openshift/cluster-node-tuning-operator/blob/2c76314fb3cc8f12aef4a0dcd67ddc3677d5b54f/pkg/apis/tuned/v1/tuned_types.go - - The PerformanceProfile API is defined here: - https://github.com/openshift/cluster-node-tuning-operator/tree/b41042d42d4ba5bb2e99960248cf1d6ae4935018/pkg/apis/performanceprofile/v2 - - Each ConfigMap must have a single key named "tuning" whose value is the - JSON or YAML of a serialized Tuned or PerformanceProfile. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - required: - - clusterName - - management - - platform - - release - type: object - x-kubernetes-validations: - - message: Arch is required once set - rule: '!has(oldSelf.arch) || has(self.arch)' - - message: Setting Arch to arm64 is only supported for AWS and Azure - rule: self.arch != 'arm64' || has(self.platform.aws) || has(self.platform.azure) - - message: Both replicas or autoScaling should not be set - rule: '!has(self.replicas) || !has(self.autoScaling)' - status: - description: Status is the latest observed status of the NodePool. - properties: - conditions: - description: |- - Conditions represents the latest available observations of the node pool's - current state. - items: - description: |- - We define our own condition type since metav1.Condition has validation - for Reason that might be broken by what we bubble up from CAPI. - NodePoolCondition defines an observation of NodePool resource operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - observedGeneration: - format: int64 - minimum: 0 - type: integer - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may not be empty. - type: string - severity: - description: |- - Severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: |- - Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - platform: - description: Platform hols the specific statuses - properties: - kubeVirt: - description: KubeVirt contains the KubeVirt platform statuses - properties: - cacheName: - description: CacheName holds the name of the cache DataVolume, - if exists - type: string - credentials: - description: |- - Credentials shows the client credentials used when creating KubeVirt virtual machines. - This filed is only exists when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - type: object - type: object - replicas: - description: Replicas is the latest observed number of nodes in the - pool. - format: int32 - type: integer - version: - description: |- - Version is the semantic version of the latest applied release specified by - the NodePool. - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/client/applyconfiguration/hypershift/v1beta1/azureresourcemanagedidentities.go b/client/applyconfiguration/hypershift/v1beta1/azureresourcemanagedidentities.go index 30e89a51739..15fa0ebc6a3 100644 --- a/client/applyconfiguration/hypershift/v1beta1/azureresourcemanagedidentities.go +++ b/client/applyconfiguration/hypershift/v1beta1/azureresourcemanagedidentities.go @@ -21,6 +21,7 @@ package v1beta1 // with apply. type AzureResourceManagedIdentitiesApplyConfiguration struct { ControlPlane *ControlPlaneManagedIdentitiesApplyConfiguration `json:"controlPlane,omitempty"` + DataPlane *DataPlaneManagedIdentitiesApplyConfiguration `json:"dataPlane,omitempty"` } // AzureResourceManagedIdentitiesApplyConfiguration constructs an declarative configuration of the AzureResourceManagedIdentities type for use with @@ -36,3 +37,11 @@ func (b *AzureResourceManagedIdentitiesApplyConfiguration) WithControlPlane(valu b.ControlPlane = value return b } + +// WithDataPlane sets the DataPlane field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DataPlane field is set to the value of the last call. +func (b *AzureResourceManagedIdentitiesApplyConfiguration) WithDataPlane(value *DataPlaneManagedIdentitiesApplyConfiguration) *AzureResourceManagedIdentitiesApplyConfiguration { + b.DataPlane = value + return b +} diff --git a/client/applyconfiguration/hypershift/v1beta1/dataplanemanagedidentities.go b/client/applyconfiguration/hypershift/v1beta1/dataplanemanagedidentities.go new file mode 100644 index 00000000000..991c2e8ef7e --- /dev/null +++ b/client/applyconfiguration/hypershift/v1beta1/dataplanemanagedidentities.go @@ -0,0 +1,74 @@ +/* + + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1beta1 + +// DataPlaneManagedIdentitiesApplyConfiguration represents an declarative configuration of the DataPlaneManagedIdentities type for use +// with apply. +type DataPlaneManagedIdentitiesApplyConfiguration struct { + ImageRegistryMSIClientID *string `json:"imageRegistryMSIClientID,omitempty"` + DiskMSIClientID *string `json:"diskMSIClientID,omitempty"` + FileMSIClientID *string `json:"fileMSIClientID,omitempty"` + IngressMSIClientID *string `json:"ingressMSIClientID,omitempty"` + CloudNetworkConfigMSIClientID *string `json:"cloudNetworkConfigMSIClientID,omitempty"` +} + +// DataPlaneManagedIdentitiesApplyConfiguration constructs an declarative configuration of the DataPlaneManagedIdentities type for use with +// apply. +func DataPlaneManagedIdentities() *DataPlaneManagedIdentitiesApplyConfiguration { + return &DataPlaneManagedIdentitiesApplyConfiguration{} +} + +// WithImageRegistryMSIClientID sets the ImageRegistryMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ImageRegistryMSIClientID field is set to the value of the last call. +func (b *DataPlaneManagedIdentitiesApplyConfiguration) WithImageRegistryMSIClientID(value string) *DataPlaneManagedIdentitiesApplyConfiguration { + b.ImageRegistryMSIClientID = &value + return b +} + +// WithDiskMSIClientID sets the DiskMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the DiskMSIClientID field is set to the value of the last call. +func (b *DataPlaneManagedIdentitiesApplyConfiguration) WithDiskMSIClientID(value string) *DataPlaneManagedIdentitiesApplyConfiguration { + b.DiskMSIClientID = &value + return b +} + +// WithFileMSIClientID sets the FileMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the FileMSIClientID field is set to the value of the last call. +func (b *DataPlaneManagedIdentitiesApplyConfiguration) WithFileMSIClientID(value string) *DataPlaneManagedIdentitiesApplyConfiguration { + b.FileMSIClientID = &value + return b +} + +// WithIngressMSIClientID sets the IngressMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the IngressMSIClientID field is set to the value of the last call. +func (b *DataPlaneManagedIdentitiesApplyConfiguration) WithIngressMSIClientID(value string) *DataPlaneManagedIdentitiesApplyConfiguration { + b.IngressMSIClientID = &value + return b +} + +// WithCloudNetworkConfigMSIClientID sets the CloudNetworkConfigMSIClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CloudNetworkConfigMSIClientID field is set to the value of the last call. +func (b *DataPlaneManagedIdentitiesApplyConfiguration) WithCloudNetworkConfigMSIClientID(value string) *DataPlaneManagedIdentitiesApplyConfiguration { + b.CloudNetworkConfigMSIClientID = &value + return b +} diff --git a/client/applyconfiguration/utils.go b/client/applyconfiguration/utils.go index dededb01f1a..892ff2c52ca 100644 --- a/client/applyconfiguration/utils.go +++ b/client/applyconfiguration/utils.go @@ -110,6 +110,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &hypershiftv1beta1.ClusterVersionStatusApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("ControlPlaneManagedIdentities"): return &hypershiftv1beta1.ControlPlaneManagedIdentitiesApplyConfiguration{} + case v1beta1.SchemeGroupVersion.WithKind("DataPlaneManagedIdentities"): + return &hypershiftv1beta1.DataPlaneManagedIdentitiesApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("Diagnostics"): return &hypershiftv1beta1.DiagnosticsApplyConfiguration{} case v1beta1.SchemeGroupVersion.WithKind("DNSSpec"): diff --git a/cmd/install/assets/hypershift-operator/certificates.hypershift.openshift.io_certificaterevocationrequests.yaml b/cmd/install/assets/hypershift-operator/certificates.hypershift.openshift.io_certificaterevocationrequests.yaml deleted file mode 100644 index d00283ac08f..00000000000 --- a/cmd/install/assets/hypershift-operator/certificates.hypershift.openshift.io_certificaterevocationrequests.yaml +++ /dev/null @@ -1,156 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: certificaterevocationrequests.certificates.hypershift.openshift.io -spec: - group: certificates.hypershift.openshift.io - names: - kind: CertificateRevocationRequest - listKind: CertificateRevocationRequestList - plural: certificaterevocationrequests - shortNames: - - crr - - crrs - singular: certificaterevocationrequest - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - CertificateRevocationRequest defines the desired state of CertificateRevocationRequest. - A request denotes the user's desire to revoke a signer certificate of the class indicated in spec. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CertificateRevocationRequestSpec defines the desired state - of CertificateRevocationRequest - properties: - signerClass: - description: |- - SignerClass identifies the class of signer to revoke. All the active signing CAs for the - signer class will be revoked. - enum: - - customer-break-glass - - sre-break-glass - type: string - x-kubernetes-validations: - - message: signerClass is immutable - rule: self == oldSelf - required: - - signerClass - type: object - status: - description: CertificateRevocationRequestStatus defines the observed state - of CertificateRevocationRequest - properties: - conditions: - description: Conditions contain details about the various aspects - of certificate revocation. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - previousSigner: - description: |- - PreviousSigner stores a reference to the previous signer certificate. We require - storing this data to ensure that we can validate that the old signer is no longer - valid before considering revocation complete. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - revocationTimestamp: - description: |- - RevocationTimestamp is the cut-off time for signing CAs to be revoked. All certificates that - are valid before this time will be revoked; all re-generated certificates will not be valid - at or before this time. - format: date-time - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/certificates.hypershift.openshift.io_certificatesigningrequestapprovals.yaml b/cmd/install/assets/hypershift-operator/certificates.hypershift.openshift.io_certificatesigningrequestapprovals.yaml deleted file mode 100644 index fd00fef762a..00000000000 --- a/cmd/install/assets/hypershift-operator/certificates.hypershift.openshift.io_certificatesigningrequestapprovals.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: certificatesigningrequestapprovals.certificates.hypershift.openshift.io -spec: - group: certificates.hypershift.openshift.io - names: - kind: CertificateSigningRequestApproval - listKind: CertificateSigningRequestApprovalList - plural: certificatesigningrequestapprovals - shortNames: - - csra - - csras - singular: certificatesigningrequestapproval - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: CertificateSigningRequestApproval defines the desired state of - CertificateSigningRequestApproval - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CertificateSigningRequestApprovalSpec defines the desired - state of CertificateSigningRequestApproval - type: object - status: - description: CertificateSigningRequestApprovalStatus defines the observed - state of CertificateSigningRequestApproval - type: object - type: object - served: true - storage: true diff --git a/cmd/install/assets/hypershift-operator/scheduling.hypershift.openshift.io_clustersizingconfigurations.yaml b/cmd/install/assets/hypershift-operator/scheduling.hypershift.openshift.io_clustersizingconfigurations.yaml deleted file mode 100644 index f0d0031e4e0..00000000000 --- a/cmd/install/assets/hypershift-operator/scheduling.hypershift.openshift.io_clustersizingconfigurations.yaml +++ /dev/null @@ -1,326 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - name: clustersizingconfigurations.scheduling.hypershift.openshift.io -spec: - group: scheduling.hypershift.openshift.io - names: - kind: ClusterSizingConfiguration - listKind: ClusterSizingConfigurationList - plural: clustersizingconfigurations - shortNames: - - csc - - cscs - singular: clustersizingconfiguration - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - ClusterSizingConfiguration defines the desired state of ClusterSizingConfiguration. - Configuration options here allow management cluster administrators to define sizing classes for hosted clusters and - how the system should adapt hosted cluster functionality based on size. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: ClusterSizingConfigurationSpec defines the desired state - of ClusterSizingConfiguration - properties: - concurrency: - description: |- - Concurrency defines the bounds of allowed behavior for clusters transitioning between sizes. - Transitions will require that request-serving pods be re-scheduled between nodes, so each - transition incurs a small user-facing cost as well as a cost to the management cluster. Use - the concurrency configuration options to manage how many transitions can be occurring. - These limits do not apply to new clusters entering the fleet. - If unset, a sensible default will be provided. - properties: - limit: - default: 5 - description: Limit is the maximum allowed number of cluster size - transitions during the sliding window. - format: int32 - minimum: 1 - type: integer - slidingWindow: - default: 10m - description: SlidingWindow is the window over which the concurrency - bound is enforced. - pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ - type: string - required: - - limit - - slidingWindow - type: object - nonRequestServingNodesBufferPerZone: - anyOf: - - type: integer - - type: string - description: |- - NonRequestServingNodesBufferPerZone is the number of extra nodes to allocate for non request serving - workloads per zone. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - sizes: - description: |- - Sizes holds the different t-shirt size classes into which guest clusters will be sorted. - Each size class applies to guest clusters using node count criteria; it is required that - the entire interval between [0,+inf) be covered by the set of sizes provided here. - items: - description: SizeConfiguration holds options for clusters of a given - size. - properties: - criteria: - description: Criteria defines the node count range for clusters - to fall into this t-shirt size class. - properties: - from: - description: From is the inclusive lower limit to node count - for a cluster to be considered a particular size. - format: int32 - minimum: 0 - type: integer - to: - description: |- - To is the inclusive upper limit to node count for a cluster to be considered a particular size. - If unset, this size class will match clusters of all sizes greater than the lower limit. - format: int32 - minimum: 0 - type: integer - required: - - from - type: object - x-kubernetes-validations: - - message: lower limit must be less than or equal to the upper - limit - rule: '!has(self.to) || self.from <= self.to' - effects: - description: Effects define the effects on a cluster being considered - part of this t-shirt size class. - properties: - APICriticalPriorityClassName: - description: |- - APICriticalPriorityClassName is the priority class for pods in the API request serving path. - This includes Kube API Server, OpenShift APIServer, etc. - type: string - controlPlanePriorityClassName: - description: ControlPlanePriorityClassName is the priority - class to use for most control plane pods - type: string - etcdPriorityClassName: - description: EtcdPriorityClassName is the priority class - to use for etcd pods - type: string - kasGoMemLimit: - anyOf: - - type: integer - - type: string - description: KASGoMemLimit is the value to set for the $GOMEMLIMIT - of the Kube APIServer container - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - machineHealthCheckTimeout: - description: |- - MachineHealthCheckTimeout specifies an optional timeout for machinehealthchecks created - for HostedClusters with this specific size. - type: string - maximumMutatingRequestsInflight: - description: MaximumMutatingRequestsInflight specifies the - maximum mutating requests in flight for Kube APIServer - type: integer - maximumRequestsInflight: - description: MaximumRequestsInFlight specifies the maximum - requests in flight for Kube APIServer - type: integer - resourceRequests: - description: ResourceRequests allows specifying resource - requests for control plane pods. - items: - properties: - containerName: - description: ContainerName is the name of the container - to which the resource request applies. - type: string - cpu: - anyOf: - - type: integer - - type: string - description: CPU is the amount of CPU to request for - the container. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - deploymentName: - description: DeploymentName is the name of the deployment - to which the resource request applies. - type: string - memory: - anyOf: - - type: integer - - type: string - description: Memory is the amount of memory to request - for the container. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - required: - - containerName - - deploymentName - type: object - type: array - type: object - management: - description: Management configures the management aspects of - this size class on the management plane. - properties: - nonRequestServingNodesPerZone: - anyOf: - - type: integer - - type: string - description: |- - NonRequestServingNodesPerZone is the number of nodes to allocate for non request serving workloads - per HostedCluster. This will likely be a fraction of a node (ie. 0.2) to allow 5 HostedClusters in - a single node. The total number of nodes needed per HostedCluster is this number multiplied by 3 - (number of zones). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - placeholders: - description: |- - Placeholders configures the number of dummy workloads that will be scheduled irrespective of - HostedClusters in order to keep a set of nodes ready to accept new cluster creation and scheduling. - minimum: 0 - type: integer - type: object - name: - description: Name is the t-shirt size name. - type: string - required: - - criteria - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - x-kubernetes-validations: - - message: exactly one size class must have a lower limit of zero - rule: self.exists_one(i, i.criteria.from == 0) - - message: exactly one size class must have no upper limit - rule: self.exists_one(i, !has(i.criteria.to)) - transitionDelay: - description: |- - TransitionDelay configures how quickly the system reacts to clusters transitioning between size classes. - It may be advantageous, for instance, to have a near-instant scale-down for clusters that begin to - use fewer resources, but allow for some lag on scale-up to ensure that the use is sustained before - incurring the larger cost for scale-up. - properties: - decrease: - default: 10m - description: |- - Decrease defines the minimum period of time to wait between a cluster's size decreasing and - the t-shirt size assigned to it being updated to reflect the new size. - pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ - type: string - increase: - default: 30s - description: |- - Increase defines the minimum period of time to wait between a cluster's size increasing and - the t-shirt size assigned to it being updated to reflect the new size. - pattern: ^([0-9]+(\.[0-9]+)?(s|m|h))+$ - type: string - type: object - required: - - sizes - type: object - status: - description: ClusterSizingConfigurationStatus defines the observed state - of ClusterSizingConfiguration - properties: - conditions: - description: Conditions contain details about the various aspects - of cluster sizing. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - x-kubernetes-validations: - - message: exactly one configuration may exist and must be named 'cluster' - rule: self.metadata.name == 'cluster' - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/awsendpointservices.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/awsendpointservices.crd.yaml deleted file mode 100644 index ef3871a651b..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/awsendpointservices.crd.yaml +++ /dev/null @@ -1,180 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - name: awsendpointservices.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: AWSEndpointService - listKind: AWSEndpointServiceList - plural: awsendpointservices - singular: awsendpointservice - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: AWSEndpointService specifies a request for an Endpoint Service - in AWS - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: AWSEndpointServiceSpec defines the desired state of AWSEndpointService - properties: - networkLoadBalancerName: - description: The name of the NLB for which an Endpoint Service should - be configured - type: string - resourceTags: - description: Tags to apply to the EndpointService - items: - description: AWSResourceTag is a tag to apply to AWS resources created - for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - type: array - subnetIDs: - description: SubnetIDs is the list of subnet IDs to which guest nodes - can attach - items: - type: string - type: array - required: - - networkLoadBalancerName - type: object - status: - description: AWSEndpointServiceStatus defines the observed state of AWSEndpointService - properties: - conditions: - description: |- - Conditions contains details for the current state of the Endpoint Service - request If there is an error processing the request e.g. the NLB doesn't - exist, then the Available condition will be false, reason AWSErrorReason, - and the error reported in the message. - - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - dnsNames: - description: DNSName are the names for the records created in the - hypershift private zone - items: - type: string - type: array - dnsZoneID: - description: DNSZoneID is ID for the hypershift private zone - type: string - endpointID: - description: EndpointID is the ID of the Endpoint created in the guest - VPC - type: string - endpointServiceName: - description: |- - EndpointServiceName is the name of the Endpoint Service created in the - management VPC - type: string - securityGroupID: - description: SecurityGroupID is the ID for the VPC endpoint SecurityGroup - type: string - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/certificatesigningrequestapprovals.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/certificatesigningrequestapprovals.crd.yaml deleted file mode 100644 index 07a7a65fc07..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/certificatesigningrequestapprovals.crd.yaml +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - name: certificatesigningrequestapprovals.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: CertificateSigningRequestApproval - listKind: CertificateSigningRequestApprovalList - plural: certificatesigningrequestapprovals - shortNames: - - csra - - csras - singular: certificatesigningrequestapproval - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: CertificateSigningRequestApproval defines the desired state of - CertificateSigningRequestApproval - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: CertificateSigningRequestApprovalSpec defines the desired - state of CertificateSigningRequestApproval - type: object - status: - description: CertificateSigningRequestApprovalStatus defines the observed - state of CertificateSigningRequestApproval - type: object - type: object - served: true - storage: true diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/doc.go b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/doc.go deleted file mode 100644 index a4a42ea8803..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/doc.go +++ /dev/null @@ -1 +0,0 @@ -package hypershift_v1beta1_crdmanifests diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml deleted file mode 100644 index 969c0baa6f1..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-CustomNoUpgrade.crd.yaml +++ /dev/null @@ -1,5516 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - managedIdentities: - description: |- - managedIdentities contains the managed identities needed for HCP control plane and data plane components that - authenticate with Azure's API. - properties: - controlPlane: - description: |- - controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to - authenticate with Azure's API. - properties: - cloudProvider: - description: |- - cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller - manager. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - controlPlaneOperator: - description: controlPlaneOperator is a pre-existing - managed identity associated with the control plane - operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - disk: - description: diskClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - file: - description: fileClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - imageRegistry: - description: imageRegistry is a pre-existing managed - identity associated with the cluster-image-registry-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - ingress: - description: ingress is a pre-existing managed identity - associated with the cluster-ingress-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - managedIdentitiesKeyVault: - description: |- - managedIdentitiesKeyVault contains information on the management cluster's managed identities Azure Key Vault. - This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the - Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring - authentication with Azure API. - - More information on how the Secrets Store CSI driver works to do this can be found here: - https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. - properties: - name: - description: name is the name of the Azure Key - Vault on the management cluster. - type: string - tenantID: - description: tenantID is the tenant ID of the - Azure Key Vault on the management cluster. - type: string - required: - - name - - tenantID - type: object - network: - description: network is a pre-existing managed identity - associated with the cluster-network-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - nodePoolManagement: - description: nodePoolManagement is a pre-existing - managed identity associated with the operator managing - the NodePools. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - cloudProvider - - controlPlaneOperator - - disk - - file - - imageRegistry - - ingress - - managedIdentitiesKeyVault - - network - - nodePoolManagement - type: object - required: - - controlPlane - type: object - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - openstack: - description: OpenStack specifies configuration for clusters running - on OpenStack. - properties: - disableExternalNetwork: - description: |- - DisableExternalNetwork specifies whether or not to attempt to connect the cluster - to an external network. This allows for the creation of clusters when connecting - to an external network is not possible or desirable, e.g. if using a provider network. - type: boolean - externalNetwork: - description: |- - ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. - This option is ignored if DisableExternalNetwork is set to true. - - If ExternalNetwork is defined it must refer to exactly one external network. - - If ExternalNetwork is not defined or is empty the controller will use any - existing external network as long as there is only one. It is an - error if ExternalNetwork is not defined and there are multiple - external networks unless DisableExternalNetwork is also set. - - If ExternalNetwork is not defined and there are no external networks - the controller will proceed as though DisableExternalNetwork was set. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - identityRef: - description: |- - IdentityRef is a reference to a secret holding OpenStack credentials - to be used when reconciling the hosted cluster. - properties: - cloudName: - description: CloudName specifies the name of the entry - in the clouds.yaml file to use. - type: string - name: - description: |- - Name is the name of a secret in the same namespace as the resource being provisioned. - The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file. - The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate. - type: string - required: - - cloudName - - name - type: object - managedSubnets: - description: |- - ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, - and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster - MachineNetwork, and a router connected to the subnet. Currently only one IPv4 - subnet is supported. - items: - properties: - allocationPools: - description: |- - AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. - If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from - outside of these ranges manually. - items: - properties: - end: - description: End represents the end of the AlloctionPool, - that is the highest IP of the pool. - type: string - start: - description: Start represents the start of the - AllocationPool, that is the lowest IP of the - pool. - type: string - required: - - end - - start - type: object - type: array - dnsNameservers: - description: |- - DNSNameservers holds a list of DNS server addresses that will be provided when creating - the subnet. These addresses need to have the same IP version as CIDR. - items: - type: string - type: array - type: object - maxItems: 1 - type: array - x-kubernetes-list-type: atomic - network: - description: |- - Network specifies an existing network to use if no ManagedSubnets - are specified. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - networkMTU: - description: |- - NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. - This value will be used only if the Cluster actuator creates the network. - If left empty, the network will have the default MTU defined in Openstack network service. - To use this field, the Openstack installation requires the net-mtu neutron API extension. - type: integer - router: - description: |- - Router specifies an existing router to be used if ManagedSubnets are - specified. If specified, no new router will be created. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - router. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - router to filter by. - type: string - name: - description: Name is the name of the router to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the router - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the router to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - subnets: - description: |- - Subnets specifies existing subnets to use if not ManagedSubnets are - specified. All subnets must be in the network specified by Network. - There can be zero, one, or two subnets. If no subnets are specified, - all subnets in Network will be used. If 2 subnets are specified, one - must be IPv4 and the other IPv6. - items: - description: SubnetParam specifies an OpenStack subnet to - use. It may be specified by either ID or filter, but not - both. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select the - subnet. It must match exactly one subnet. - minProperties: 1 - properties: - cidr: - description: CIDR is the CIDR of the subnet to filter - by. - type: string - description: - description: Description is the description of the - subnet to filter by. - type: string - gatewayIP: - description: GatewayIP is the gateway IP of the - subnet to filter by. - type: string - ipVersion: - description: IPVersion is the IP version of the - subnet to filter by. - type: integer - ipv6AddressMode: - description: IPv6AddressMode is the IPv6 address - mode of the subnet to filter by. - type: string - ipv6RAMode: - description: IPv6RAMode is the IPv6 RA mode of the - subnet to filter by. - type: string - name: - description: Name is the name of the subnet to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the - subnet to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the uuid of the subnet. It will not - be validated. - format: uuid - type: string - type: object - maxItems: 2 - type: array - x-kubernetes-list-type: atomic - tags: - description: Tags to set on all resources in cluster which - support tags - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - identityRef - type: object - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - kms: - description: kms is a pre-existing managed identity used - to authenticate with Azure KMS. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity must - be a valid UUID. It should be 5 groups of hyphen - separated hexadecimal characters in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml deleted file mode 100644 index 9015c5ebacf..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Default.crd.yaml +++ /dev/null @@ -1,4795 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index 81d722336da..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedclusters-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,5516 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: hostedclusters.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: HostedCluster - listKind: HostedClusterList - plural: hostedclusters - shortNames: - - hc - - hcs - singular: hostedcluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Version - jsonPath: .status.version.history[?(@.state=="Completed")].version - name: Version - type: string - - description: KubeConfig Secret - jsonPath: .status.kubeconfig.name - name: KubeConfig - type: string - - description: Progress - jsonPath: .status.version.history[?(@.state!="")].state - name: Progress - type: string - - description: Available - jsonPath: .status.conditions[?(@.type=="Available")].status - name: Available - type: string - - description: Progressing - jsonPath: .status.conditions[?(@.type=="Progressing")].status - name: Progressing - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Available")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - HostedCluster is the primary representation of a HyperShift cluster and encapsulates - the control plane and common data plane configuration. Creating a HostedCluster - results in a fully functional OpenShift control plane with no attached nodes. - To support workloads (e.g. pods), a HostedCluster may have one or more associated - NodePool resources. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the HostedCluster. - properties: - additionalTrustBundle: - description: |- - AdditionalTrustBundle is a reference to a ConfigMap containing a - PEM-encoded X.509 certificate bundle that will be added to the hosted controlplane and nodes - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook endpoint - for a cluster to process cluster audit events. It references a secret that - contains the webhook information for the audit webhook endpoint. It is a - secret because if the endpoint has mTLS the kubeconfig will contain client - keys. The kubeconfig needs to be stored in the secret with a secret key - name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID uniquely identifies this cluster. This is expected to be - an RFC4122 UUID value (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx in - hexadecimal values). - As with a Kubernetes metadata.uid, this ID uniquely identifies this - cluster in space and time. - This value identifies the cluster in metrics pushed to telemetry and - metrics produced by the control plane operators. If a value is not - specified, an ID is generated. After initial creation, the value is - immutable. - pattern: '[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}' - type: string - configuration: - description: |- - Configuration specifies configuration for individual OCP components in the - cluster, represented as embedded resources that correspond to the openshift - configuration API. - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneRelease: - description: |- - ControlPlaneRelease specifies the desired OCP release payload for - control plane components running on the management cluster. - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - If not defined, Release is used - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - controllerAvailabilityPolicy: - default: HighlyAvailable - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is HighlyAvailable. - type: string - dns: - description: DNS specifies DNS configuration for the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - default: - managed: - storage: - persistentVolume: - size: 8Gi - type: PersistentVolume - managementType: Managed - description: |- - Etcd specifies configuration for the control plane etcd cluster. The - default ManagementType is Managed. Once set, the ManagementType cannot be - changed. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: |- - FIPS indicates whether this cluster's nodes will be running in FIPS mode. - If set to true, the control plane's ignition server will be configured to - expect that nodes joining the cluster will be FIPS-enabled. - type: boolean - imageContentSources: - description: |- - ImageContentSources specifies image mirrors that can be used by cluster - nodes to pull content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - description: |- - InfraID is a globally unique identifier for the cluster. This identifier - will be used to associate various cloud resources with the HostedCluster - and its associated NodePools. - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - default: https://kubernetes.default.svc - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - format: uri - type: string - networking: - default: - clusterNetwork: - - cidr: 10.132.0.0/14 - networkType: OVNKubernetes - serviceNetwork: - - cidr: 172.31.0.0/16 - description: Networking specifies network configuration for the cluster. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - x-kubernetes-validations: - - message: OLMCatalogPlacement is immutable - rule: self == oldSelf - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - Platform specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - managedIdentities: - description: |- - managedIdentities contains the managed identities needed for HCP control plane and data plane components that - authenticate with Azure's API. - properties: - controlPlane: - description: |- - controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to - authenticate with Azure's API. - properties: - cloudProvider: - description: |- - cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller - manager. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - controlPlaneOperator: - description: controlPlaneOperator is a pre-existing - managed identity associated with the control plane - operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - disk: - description: diskClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - file: - description: fileClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - imageRegistry: - description: imageRegistry is a pre-existing managed - identity associated with the cluster-image-registry-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - ingress: - description: ingress is a pre-existing managed identity - associated with the cluster-ingress-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - managedIdentitiesKeyVault: - description: |- - managedIdentitiesKeyVault contains information on the management cluster's managed identities Azure Key Vault. - This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the - Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring - authentication with Azure API. - - More information on how the Secrets Store CSI driver works to do this can be found here: - https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. - properties: - name: - description: name is the name of the Azure Key - Vault on the management cluster. - type: string - tenantID: - description: tenantID is the tenant ID of the - Azure Key Vault on the management cluster. - type: string - required: - - name - - tenantID - type: object - network: - description: network is a pre-existing managed identity - associated with the cluster-network-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - nodePoolManagement: - description: nodePoolManagement is a pre-existing - managed identity associated with the operator managing - the NodePools. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - cloudProvider - - controlPlaneOperator - - disk - - file - - imageRegistry - - ingress - - managedIdentitiesKeyVault - - network - - nodePoolManagement - type: object - required: - - controlPlane - type: object - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - openstack: - description: OpenStack specifies configuration for clusters running - on OpenStack. - properties: - disableExternalNetwork: - description: |- - DisableExternalNetwork specifies whether or not to attempt to connect the cluster - to an external network. This allows for the creation of clusters when connecting - to an external network is not possible or desirable, e.g. if using a provider network. - type: boolean - externalNetwork: - description: |- - ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. - This option is ignored if DisableExternalNetwork is set to true. - - If ExternalNetwork is defined it must refer to exactly one external network. - - If ExternalNetwork is not defined or is empty the controller will use any - existing external network as long as there is only one. It is an - error if ExternalNetwork is not defined and there are multiple - external networks unless DisableExternalNetwork is also set. - - If ExternalNetwork is not defined and there are no external networks - the controller will proceed as though DisableExternalNetwork was set. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - identityRef: - description: |- - IdentityRef is a reference to a secret holding OpenStack credentials - to be used when reconciling the hosted cluster. - properties: - cloudName: - description: CloudName specifies the name of the entry - in the clouds.yaml file to use. - type: string - name: - description: |- - Name is the name of a secret in the same namespace as the resource being provisioned. - The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file. - The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate. - type: string - required: - - cloudName - - name - type: object - managedSubnets: - description: |- - ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, - and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster - MachineNetwork, and a router connected to the subnet. Currently only one IPv4 - subnet is supported. - items: - properties: - allocationPools: - description: |- - AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. - If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from - outside of these ranges manually. - items: - properties: - end: - description: End represents the end of the AlloctionPool, - that is the highest IP of the pool. - type: string - start: - description: Start represents the start of the - AllocationPool, that is the lowest IP of the - pool. - type: string - required: - - end - - start - type: object - type: array - dnsNameservers: - description: |- - DNSNameservers holds a list of DNS server addresses that will be provided when creating - the subnet. These addresses need to have the same IP version as CIDR. - items: - type: string - type: array - type: object - maxItems: 1 - type: array - x-kubernetes-list-type: atomic - network: - description: |- - Network specifies an existing network to use if no ManagedSubnets - are specified. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - networkMTU: - description: |- - NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. - This value will be used only if the Cluster actuator creates the network. - If left empty, the network will have the default MTU defined in Openstack network service. - To use this field, the Openstack installation requires the net-mtu neutron API extension. - type: integer - router: - description: |- - Router specifies an existing router to be used if ManagedSubnets are - specified. If specified, no new router will be created. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - router. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - router to filter by. - type: string - name: - description: Name is the name of the router to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the router - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the router to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - subnets: - description: |- - Subnets specifies existing subnets to use if not ManagedSubnets are - specified. All subnets must be in the network specified by Network. - There can be zero, one, or two subnets. If no subnets are specified, - all subnets in Network will be used. If 2 subnets are specified, one - must be IPv4 and the other IPv6. - items: - description: SubnetParam specifies an OpenStack subnet to - use. It may be specified by either ID or filter, but not - both. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select the - subnet. It must match exactly one subnet. - minProperties: 1 - properties: - cidr: - description: CIDR is the CIDR of the subnet to filter - by. - type: string - description: - description: Description is the description of the - subnet to filter by. - type: string - gatewayIP: - description: GatewayIP is the gateway IP of the - subnet to filter by. - type: string - ipVersion: - description: IPVersion is the IP version of the - subnet to filter by. - type: integer - ipv6AddressMode: - description: IPv6AddressMode is the IPv6 address - mode of the subnet to filter by. - type: string - ipv6RAMode: - description: IPv6RAMode is the IPv6 RA mode of the - subnet to filter by. - type: string - name: - description: Name is the name of the subnet to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the - subnet to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the uuid of the subnet. It will not - be validated. - format: uuid - type: string - type: object - maxItems: 2 - type: array - x-kubernetes-list-type: atomic - tags: - description: Tags to set on all resources in cluster which - support tags - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - identityRef - type: object - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - PullSecret references a pull secret to be injected into the container - runtime of all cluster nodes. The secret must have a key named - ".dockerconfigjson" whose value is the pull secret JSON. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - release: - description: |- - Release specifies the desired OCP release payload for the hosted cluster. - - Updating this field will trigger a rollout of the control plane. The - behavior of the rollout will be driven by the ControllerAvailabilityPolicy - and InfrastructureAvailabilityPolicy. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - secretEncryption: - description: |- - SecretEncryption specifies a Kubernetes secret encryption strategy for the - control plane. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - kms: - description: kms is a pre-existing managed identity used - to authenticate with Azure KMS. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity must - be a valid UUID. It should be 5 groups of hyphen - separated hexadecimal characters in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. When specifying a service account - signing key, a IssuerURL must also be specified. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services specifies how individual control plane services are published from - the hosting cluster of the control plane. - - If a given service is not present in this list, it will be exposed publicly - by default. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - SSHKey references an SSH key to be injected into all cluster node sshd - servers. The secret must have a single key "id_rsa.pub" whose value is the - public part of an SSH key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - networking - - platform - - pullSecret - - release - - services - - sshKey - type: object - x-kubernetes-validations: - - message: Services is immutable. Changes might result in unpredictable - and disruptive behavior. - rule: 'self.platform.type != "IBMCloud" ? self.services == oldSelf.services - : true' - - message: Azure platform requires APIServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "APIServer" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - - message: Azure platform requires OAuthServer Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "OAuthServer" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Konnectivity Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Konnectivity" && s.servicePublishingStrategy.type == "Route" && - s.servicePublishingStrategy.route.hostname != "") : true' - - message: Azure platform requires Ignition Route service with a hostname - to be defined - rule: 'self.platform.type == "Azure" ? self.services.exists(s, s.service - == "Ignition" && s.servicePublishingStrategy.type == "Route" && s.servicePublishingStrategy.route.hostname - != "") : true' - status: - description: Status is the latest observed status of the HostedCluster. - properties: - conditions: - description: |- - Conditions represents the latest available observations of a control - plane's current state. - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - ignitionEndpoint: - description: |- - IgnitionEndpoint is the endpoint injected in the ign config userdata. - It exposes the config for instances to become kubernetes nodes. - type: string - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret that contains the initial - kubeadmin user password for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeconfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - payloadArch: - description: |- - payloadArch represents the CPU architecture type of the HostedCluster.Spec.Release.Image. The valid values are: - Multi, ARM64, AMD64, S390X, or PPC64LE. - enum: - - Multi - - ARM64 - - AMD64 - - PPC64LE - - S390X - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - version: - description: |- - Version is the status of the release version applied to the - HostedCluster. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-CustomNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-CustomNoUpgrade.crd.yaml deleted file mode 100644 index c2d56433b7b..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-CustomNoUpgrade.crd.yaml +++ /dev/null @@ -1,5439 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - managedIdentities: - description: |- - managedIdentities contains the managed identities needed for HCP control plane and data plane components that - authenticate with Azure's API. - properties: - controlPlane: - description: |- - controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to - authenticate with Azure's API. - properties: - cloudProvider: - description: |- - cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller - manager. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - controlPlaneOperator: - description: controlPlaneOperator is a pre-existing - managed identity associated with the control plane - operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - disk: - description: diskClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - file: - description: fileClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - imageRegistry: - description: imageRegistry is a pre-existing managed - identity associated with the cluster-image-registry-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - ingress: - description: ingress is a pre-existing managed identity - associated with the cluster-ingress-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - managedIdentitiesKeyVault: - description: |- - managedIdentitiesKeyVault contains information on the management cluster's managed identities Azure Key Vault. - This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the - Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring - authentication with Azure API. - - More information on how the Secrets Store CSI driver works to do this can be found here: - https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. - properties: - name: - description: name is the name of the Azure Key - Vault on the management cluster. - type: string - tenantID: - description: tenantID is the tenant ID of the - Azure Key Vault on the management cluster. - type: string - required: - - name - - tenantID - type: object - network: - description: network is a pre-existing managed identity - associated with the cluster-network-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - nodePoolManagement: - description: nodePoolManagement is a pre-existing - managed identity associated with the operator managing - the NodePools. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - cloudProvider - - controlPlaneOperator - - disk - - file - - imageRegistry - - ingress - - managedIdentitiesKeyVault - - network - - nodePoolManagement - type: object - required: - - controlPlane - type: object - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - openstack: - description: OpenStack specifies configuration for clusters running - on OpenStack. - properties: - disableExternalNetwork: - description: |- - DisableExternalNetwork specifies whether or not to attempt to connect the cluster - to an external network. This allows for the creation of clusters when connecting - to an external network is not possible or desirable, e.g. if using a provider network. - type: boolean - externalNetwork: - description: |- - ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. - This option is ignored if DisableExternalNetwork is set to true. - - If ExternalNetwork is defined it must refer to exactly one external network. - - If ExternalNetwork is not defined or is empty the controller will use any - existing external network as long as there is only one. It is an - error if ExternalNetwork is not defined and there are multiple - external networks unless DisableExternalNetwork is also set. - - If ExternalNetwork is not defined and there are no external networks - the controller will proceed as though DisableExternalNetwork was set. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - identityRef: - description: |- - IdentityRef is a reference to a secret holding OpenStack credentials - to be used when reconciling the hosted cluster. - properties: - cloudName: - description: CloudName specifies the name of the entry - in the clouds.yaml file to use. - type: string - name: - description: |- - Name is the name of a secret in the same namespace as the resource being provisioned. - The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file. - The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate. - type: string - required: - - cloudName - - name - type: object - managedSubnets: - description: |- - ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, - and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster - MachineNetwork, and a router connected to the subnet. Currently only one IPv4 - subnet is supported. - items: - properties: - allocationPools: - description: |- - AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. - If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from - outside of these ranges manually. - items: - properties: - end: - description: End represents the end of the AlloctionPool, - that is the highest IP of the pool. - type: string - start: - description: Start represents the start of the - AllocationPool, that is the lowest IP of the - pool. - type: string - required: - - end - - start - type: object - type: array - dnsNameservers: - description: |- - DNSNameservers holds a list of DNS server addresses that will be provided when creating - the subnet. These addresses need to have the same IP version as CIDR. - items: - type: string - type: array - type: object - maxItems: 1 - type: array - x-kubernetes-list-type: atomic - network: - description: |- - Network specifies an existing network to use if no ManagedSubnets - are specified. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - networkMTU: - description: |- - NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. - This value will be used only if the Cluster actuator creates the network. - If left empty, the network will have the default MTU defined in Openstack network service. - To use this field, the Openstack installation requires the net-mtu neutron API extension. - type: integer - router: - description: |- - Router specifies an existing router to be used if ManagedSubnets are - specified. If specified, no new router will be created. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - router. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - router to filter by. - type: string - name: - description: Name is the name of the router to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the router - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the router to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - subnets: - description: |- - Subnets specifies existing subnets to use if not ManagedSubnets are - specified. All subnets must be in the network specified by Network. - There can be zero, one, or two subnets. If no subnets are specified, - all subnets in Network will be used. If 2 subnets are specified, one - must be IPv4 and the other IPv6. - items: - description: SubnetParam specifies an OpenStack subnet to - use. It may be specified by either ID or filter, but not - both. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select the - subnet. It must match exactly one subnet. - minProperties: 1 - properties: - cidr: - description: CIDR is the CIDR of the subnet to filter - by. - type: string - description: - description: Description is the description of the - subnet to filter by. - type: string - gatewayIP: - description: GatewayIP is the gateway IP of the - subnet to filter by. - type: string - ipVersion: - description: IPVersion is the IP version of the - subnet to filter by. - type: integer - ipv6AddressMode: - description: IPv6AddressMode is the IPv6 address - mode of the subnet to filter by. - type: string - ipv6RAMode: - description: IPv6RAMode is the IPv6 RA mode of the - subnet to filter by. - type: string - name: - description: Name is the name of the subnet to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the - subnet to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the uuid of the subnet. It will not - be validated. - format: uuid - type: string - type: object - maxItems: 2 - type: array - x-kubernetes-list-type: atomic - tags: - description: Tags to set on all resources in cluster which - support tags - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - identityRef - type: object - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - kms: - description: kms is a pre-existing managed identity used - to authenticate with Azure KMS. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity must - be a valid UUID. It should be 5 groups of hyphen - separated hexadecimal characters in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Default.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Default.crd.yaml deleted file mode 100644 index 812c245ad2a..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Default.crd.yaml +++ /dev/null @@ -1,4718 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index e3f42232a54..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,5439 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: hostedcontrolplanes.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - categories: - - cluster-api - kind: HostedControlPlane - listKind: HostedControlPlaneList - plural: hostedcontrolplanes - shortNames: - - hcp - - hcps - singular: hostedcontrolplane - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: HostedControlPlane defines the desired state of HostedControlPlane - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: HostedControlPlaneSpec defines the desired state of HostedControlPlane - properties: - additionalTrustBundle: - description: AdditionalTrustBundle references a ConfigMap containing - a PEM-encoded X.509 certificate bundle - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - auditWebhook: - description: |- - AuditWebhook contains metadata for configuring an audit webhook - endpoint for a cluster to process cluster audit events. It references - a secret that contains the webhook information for the audit webhook endpoint. - It is a secret because if the endpoint has MTLS the kubeconfig will contain client - keys. This is currently only supported in IBM Cloud. The kubeconfig needs to be stored - in the secret with a secret key name that corresponds to the constant AuditWebhookKubeconfigKey. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - autoscaling: - description: |- - Autoscaling specifies auto-scaling behavior that applies to all NodePools - associated with the control plane. - properties: - maxNodeProvisionTime: - description: |- - MaxNodeProvisionTime is the maximum time to wait for node provisioning - before considering the provisioning to be unsuccessful, expressed as a Go - duration string. The default is 15 minutes. - pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$ - type: string - maxNodesTotal: - description: |- - MaxNodesTotal is the maximum allowable number of nodes across all NodePools - for a HostedCluster. The autoscaler will not grow the cluster beyond this - number. - format: int32 - minimum: 0 - type: integer - maxPodGracePeriod: - description: |- - MaxPodGracePeriod is the maximum seconds to wait for graceful pod - termination before scaling down a NodePool. The default is 600 seconds. - format: int32 - minimum: 0 - type: integer - podPriorityThreshold: - description: |- - PodPriorityThreshold enables users to schedule "best-effort" pods, which - shouldn't trigger autoscaler actions, but only run when there are spare - resources available. The default is -10. - - See the following for more details: - https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#how-does-cluster-autoscaler-work-with-pod-priority-and-preemption - format: int32 - type: integer - type: object - channel: - description: |- - channel is an identifier for explicitly requesting that a non-default - set of updates be applied to this cluster. The default channel will be - contain stable updates that are appropriate for production clusters. - type: string - clusterID: - description: |- - ClusterID is the unique id that identifies the cluster externally. - Making it optional here allows us to keep compatibility with previous - versions of the control-plane-operator that have no knowledge of this - field. - type: string - configuration: - description: |- - Configuration embeds resources that correspond to the openshift configuration API: - https://docs.openshift.com/container-platform/4.7/rest_api/config_apis/config-apis-index.html - properties: - apiServer: - description: |- - APIServer holds configuration (like serving certificates, client CA and CORS domains) - shared by all API servers in the system, among them especially kube-apiserver - and openshift-apiserver. - properties: - additionalCORSAllowedOrigins: - description: |- - additionalCORSAllowedOrigins lists additional, user-defined regular expressions describing hosts for which the - API server allows access using the CORS headers. This may be needed to access the API and the integrated OAuth - server from JavaScript applications. - The values are regular expressions that correspond to the Golang regular expression language. - items: - type: string - type: array - audit: - default: - profile: Default - description: |- - audit specifies the settings for audit configuration to be applied to all OpenShift-provided - API servers in the cluster. - properties: - customRules: - description: |- - customRules specify profiles per group. These profile take precedence over the - top-level profile field if they apply. They are evaluation from top to bottom and - the first one that matches, applies. - items: - description: |- - AuditCustomRule describes a custom rule for an audit profile that takes precedence over - the top-level profile. - properties: - group: - description: group is a name of group a request - user must be member of in order to this profile - to apply. - minLength: 1 - type: string - profile: - description: |- - profile specifies the name of the desired audit policy configuration to be deployed to - all OpenShift-provided API servers in the cluster. - - The following profiles are provided: - - Default: the existing default policy. - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - required: - - group - - profile - type: object - type: array - x-kubernetes-list-map-keys: - - group - x-kubernetes-list-type: map - profile: - default: Default - description: |- - profile specifies the name of the desired top-level audit profile to be applied to all requests - sent to any of the OpenShift-provided API servers in the cluster (kube-apiserver, - openshift-apiserver and oauth-apiserver), with the exception of those requests that match - one or more of the customRules. - - The following profiles are provided: - - Default: default policy which means MetaData level logging with the exception of events - (not logged at all), oauthaccesstokens and oauthauthorizetokens (both logged at RequestBody - level). - - WriteRequestBodies: like 'Default', but logs request and response HTTP payloads for - write requests (create, update, patch). - - AllRequestBodies: like 'WriteRequestBodies', but also logs request and response - HTTP payloads for read requests (get, list). - - None: no requests are logged at all, not even oauthaccesstokens and oauthauthorizetokens. - - Warning: It is not recommended to disable audit logging by using the `None` profile unless you - are fully aware of the risks of not logging data that can be beneficial when troubleshooting issues. - If you disable audit logging and a support situation arises, you might need to enable audit logging - and reproduce the issue in order to troubleshoot properly. - - If unset, the 'Default' profile is used as the default. - enum: - - Default - - WriteRequestBodies - - AllRequestBodies - - None - type: string - type: object - clientCA: - description: |- - clientCA references a ConfigMap containing a certificate bundle for the signers that will be recognized for - incoming client certificates in addition to the operator managed signers. If this is empty, then only operator managed signers are valid. - You usually only have to set this if you have your own PKI you wish to honor client certificates from. - The ConfigMap must exist in the openshift-config namespace and contain the following required fields: - - ConfigMap.Data["ca-bundle.crt"] - CA bundle. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - encryption: - description: encryption allows the configuration of encryption - of resources at the datastore layer. - properties: - type: - description: |- - type defines what encryption type should be used to encrypt resources at the datastore layer. - When this field is unset (i.e. when it is set to the empty string), identity is implied. - The behavior of unset can and will change over time. Even if encryption is enabled by default, - the meaning of unset may change to a different encryption type based on changes in best practices. - - When encryption is enabled, all sensitive resources shipped with the platform are encrypted. - This list of sensitive resources can and will change over time. The current authoritative list is: - - 1. secrets - 2. configmaps - 3. routes.route.openshift.io - 4. oauthaccesstokens.oauth.openshift.io - 5. oauthauthorizetokens.oauth.openshift.io - enum: - - "" - - identity - - aescbc - - aesgcm - type: string - type: object - servingCerts: - description: |- - servingCert is the TLS cert info for serving secure traffic. If not specified, operator managed certificates - will be used for serving secure traffic. - properties: - namedCertificates: - description: |- - namedCertificates references secrets containing the TLS cert info for serving secure traffic to specific hostnames. - If no named certificates are provided, or no named certificates match the server name as understood by a client, - the defaultServingCertificate will be used. - items: - description: APIServerNamedServingCert maps a server - DNS name, as understood by a client, to a certificate. - properties: - names: - description: |- - names is a optional list of explicit DNS names (leading wildcards allowed) that should use this certificate to - serve secure traffic. If no names are provided, the implicit names will be extracted from the certificates. - Exact names trump over wildcard names. Explicit names defined here trump over extracted implicit names. - items: - type: string - type: array - servingCertificate: - description: |- - servingCertificate references a kubernetes.io/tls type secret containing the TLS cert info for serving secure traffic. - The secret must exist in the openshift-config namespace and contain the following required fields: - - Secret.Data["tls.key"] - TLS private key. - - Secret.Data["tls.crt"] - TLS certificate. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - type: array - type: object - tlsSecurityProfile: - description: |- - tlsSecurityProfile specifies settings for TLS connections for externally exposed servers. - - If unset, a default (which may change between releases) is chosen. Note that only Old, - Intermediate and Custom profiles are currently supported, and the maximum available - minTLSVersion is VersionTLS12. - properties: - custom: - description: |- - custom is a user-defined TLS security profile. Be extremely careful using a custom - profile as invalid configurations can be catastrophic. An example custom profile - looks like this: - - ciphers: - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - minTLSVersion: VersionTLS11 - nullable: true - properties: - ciphers: - description: |- - ciphers is used to specify the cipher algorithms that are negotiated - during the TLS handshake. Operators may remove entries their operands - do not support. For example, to use DES-CBC3-SHA (yaml): - - ciphers: - - DES-CBC3-SHA - items: - type: string - type: array - minTLSVersion: - description: |- - minTLSVersion is used to specify the minimal version of the TLS protocol - that is negotiated during the TLS handshake. For example, to use TLS - versions 1.1, 1.2 and 1.3 (yaml): - - minTLSVersion: VersionTLS11 - - NOTE: currently the highest minTLSVersion allowed is VersionTLS12 - enum: - - VersionTLS10 - - VersionTLS11 - - VersionTLS12 - - VersionTLS13 - type: string - type: object - intermediate: - description: |- - intermediate is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29 - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - minTLSVersion: VersionTLS12 - nullable: true - type: object - modern: - description: |- - modern is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - minTLSVersion: VersionTLS13 - nullable: true - type: object - old: - description: |- - old is a TLS security profile based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Old_backward_compatibility - - and looks like this (yaml): - - ciphers: - - - TLS_AES_128_GCM_SHA256 - - - TLS_AES_256_GCM_SHA384 - - - TLS_CHACHA20_POLY1305_SHA256 - - - ECDHE-ECDSA-AES128-GCM-SHA256 - - - ECDHE-RSA-AES128-GCM-SHA256 - - - ECDHE-ECDSA-AES256-GCM-SHA384 - - - ECDHE-RSA-AES256-GCM-SHA384 - - - ECDHE-ECDSA-CHACHA20-POLY1305 - - - ECDHE-RSA-CHACHA20-POLY1305 - - - DHE-RSA-AES128-GCM-SHA256 - - - DHE-RSA-AES256-GCM-SHA384 - - - DHE-RSA-CHACHA20-POLY1305 - - - ECDHE-ECDSA-AES128-SHA256 - - - ECDHE-RSA-AES128-SHA256 - - - ECDHE-ECDSA-AES128-SHA - - - ECDHE-RSA-AES128-SHA - - - ECDHE-ECDSA-AES256-SHA384 - - - ECDHE-RSA-AES256-SHA384 - - - ECDHE-ECDSA-AES256-SHA - - - ECDHE-RSA-AES256-SHA - - - DHE-RSA-AES128-SHA256 - - - DHE-RSA-AES256-SHA256 - - - AES128-GCM-SHA256 - - - AES256-GCM-SHA384 - - - AES128-SHA256 - - - AES256-SHA256 - - - AES128-SHA - - - AES256-SHA - - - DES-CBC3-SHA - - minTLSVersion: VersionTLS10 - nullable: true - type: object - type: - description: |- - type is one of Old, Intermediate, Modern or Custom. Custom provides - the ability to specify individual TLS security profile parameters. - Old, Intermediate and Modern are TLS security profiles based on: - - https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations - - The profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers - are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be - reduced. - - Note that the Modern profile is currently not supported because it is not - yet well adopted by common software libraries. - enum: - - Old - - Intermediate - - Modern - - Custom - type: string - type: object - type: object - authentication: - description: |- - Authentication specifies cluster-wide settings for authentication (like OAuth and - webhook token authenticators). - properties: - oauthMetadata: - description: |- - oauthMetadata contains the discovery endpoint data for OAuth 2.0 - Authorization Server Metadata for an external OAuth server. - This discovery document can be viewed from its served location: - oc get --raw '/.well-known/oauth-authorization-server' - For further details, see the IETF Draft: - https://tools.ietf.org/html/draft-ietf-oauth-discovery-04#section-2 - If oauthMetadata.name is non-empty, this value has precedence - over any metadata reference stored in status. - The key "oauthMetadata" is used to locate the data. - If specified and the config map or expected key is not found, no metadata is served. - If the specified metadata is not valid, no metadata is served. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - oidcProviders: - description: |- - OIDCProviders are OIDC identity providers that can issue tokens - for this cluster - Can only be set if "Type" is set to "OIDC". - - At most one provider can be configured. - items: - properties: - claimMappings: - description: |- - ClaimMappings describes rules on how to transform information from an - ID token into a cluster identity - properties: - groups: - description: |- - Groups is a name of the claim that should be used to construct - groups for the cluster identity. - The referenced claim must use array of strings values. - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - description: |- - Prefix is a string to prefix the value from the token in the result of the - claim mapping. - - By default, no prefixing occurs. - - Example: if `prefix` is set to "myoidc:"" and the `claim` in JWT contains - an array of strings "a", "b" and "c", the mapping will result in an - array of string "myoidc:a", "myoidc:b" and "myoidc:c". - type: string - required: - - claim - type: object - username: - description: |- - Username is a name of the claim that should be used to construct - usernames for the cluster identity. - - Default value: "sub" - properties: - claim: - description: Claim is a JWT token claim to be - used in the mapping - type: string - prefix: - properties: - prefixString: - minLength: 1 - type: string - required: - - prefixString - type: object - prefixPolicy: - description: |- - PrefixPolicy specifies how a prefix should apply. - - By default, claims other than `email` will be prefixed with the issuer URL to - prevent naming clashes with other plugins. - - Set to "NoPrefix" to disable prefixing. - - Example: - (1) `prefix` is set to "myoidc:" and `claim` is set to "username". - If the JWT claim `username` contains value `userA`, the resulting - mapped value will be "myoidc:userA". - (2) `prefix` is set to "myoidc:" and `claim` is set to "email". If the - JWT `email` claim contains value "userA@myoidc.tld", the resulting - mapped value will be "myoidc:userA@myoidc.tld". - (3) `prefix` is unset, `issuerURL` is set to `https://myoidc.tld`, - the JWT claims include "username":"userA" and "email":"userA@myoidc.tld", - and `claim` is set to: - (a) "username": the mapped value will be "https://myoidc.tld#userA" - (b) "email": the mapped value will be "userA@myoidc.tld" - enum: - - "" - - NoPrefix - - Prefix - type: string - required: - - claim - type: object - x-kubernetes-validations: - - message: prefix must be set if prefixPolicy is - 'Prefix', but must remain unset otherwise - rule: 'has(self.prefixPolicy) && self.prefixPolicy - == ''Prefix'' ? (has(self.prefix) && size(self.prefix.prefixString) - > 0) : !has(self.prefix)' - type: object - claimValidationRules: - description: ClaimValidationRules are rules that are - applied to validate token claims to authenticate users. - items: - properties: - requiredClaim: - description: |- - RequiredClaim allows configuring a required claim name and its expected - value - properties: - claim: - description: |- - Claim is a name of a required claim. Only claims with string values are - supported. - minLength: 1 - type: string - requiredValue: - description: RequiredValue is the required - value for the claim. - minLength: 1 - type: string - required: - - claim - - requiredValue - type: object - type: - default: RequiredClaim - description: Type sets the type of the validation - rule - enum: - - RequiredClaim - type: string - type: object - type: array - x-kubernetes-list-type: atomic - issuer: - description: Issuer describes atributes of the OIDC - token issuer - properties: - audiences: - description: |- - Audiences is an array of audiences that the token was issued for. - Valid tokens must include at least one of these values in their - "aud" claim. - Must be set to exactly one value. - items: - minLength: 1 - type: string - maxItems: 10 - minItems: 1 - type: array - x-kubernetes-list-type: set - issuerCertificateAuthority: - description: |- - CertificateAuthority is a reference to a config map in the - configuration namespace. The .data of the configMap must contain - the "ca-bundle.crt" key. - If unset, system trust is used instead. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - issuerURL: - description: |- - URL is the serving URL of the token issuer. - Must use the https:// scheme. - pattern: ^https:\/\/[^\s] - type: string - required: - - audiences - - issuerURL - type: object - name: - description: Name of the OIDC provider - minLength: 1 - type: string - oidcClients: - description: |- - OIDCClients contains configuration for the platform's clients that - need to request tokens from the issuer - items: - properties: - clientID: - description: ClientID is the identifier of the - OIDC client from the OIDC provider - minLength: 1 - type: string - clientSecret: - description: |- - ClientSecret refers to a secret in the `openshift-config` namespace that - contains the client secret in the `clientSecret` key of the `.data` field - properties: - name: - description: name is the metadata.name of - the referenced secret - type: string - required: - - name - type: object - componentName: - description: |- - ComponentName is the name of the component that is supposed to consume this - client configuration - maxLength: 256 - minLength: 1 - type: string - componentNamespace: - description: |- - ComponentNamespace is the namespace of the component that is supposed to consume this - client configuration - maxLength: 63 - minLength: 1 - type: string - extraScopes: - description: ExtraScopes is an optional set of - scopes to request tokens with. - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - clientID - - componentName - - componentNamespace - type: object - maxItems: 20 - type: array - x-kubernetes-list-map-keys: - - componentNamespace - - componentName - x-kubernetes-list-type: map - required: - - issuer - - name - type: object - maxItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - serviceAccountIssuer: - description: |- - serviceAccountIssuer is the identifier of the bound service account token - issuer. - The default is https://kubernetes.default.svc - WARNING: Updating this field will not result in immediate invalidation of all bound tokens with the - previous issuer value. Instead, the tokens issued by previous service account issuer will continue to - be trusted for a time period chosen by the platform (currently set to 24h). - This time period is subject to change over time. - This allows internal components to transition to use new service account issuer without service distruption. - type: string - type: - description: |- - type identifies the cluster managed, user facing authentication mode in use. - Specifically, it manages the component that responds to login attempts. - The default is IntegratedOAuth. - enum: - - "" - - None - - IntegratedOAuth - - OIDC - type: string - webhookTokenAuthenticator: - description: |- - webhookTokenAuthenticator configures a remote token reviewer. - These remote authentication webhooks can be used to verify bearer tokens - via the tokenreviews.authentication.k8s.io REST API. This is required to - honor bearer tokens that are provisioned by an external authentication service. - - Can only be set if "Type" is set to "None". - properties: - kubeConfig: - description: |- - kubeConfig references a secret that contains kube config file data which - describes how to access the remote webhook service. - The namespace for the referenced secret is openshift-config. - - For further details, see: - - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - kubeConfig - type: object - webhookTokenAuthenticators: - description: webhookTokenAuthenticators is DEPRECATED, setting - it has no effect. - items: - description: |- - deprecatedWebhookTokenAuthenticator holds the necessary configuration options for a remote token authenticator. - It's the same as WebhookTokenAuthenticator but it's missing the 'required' validation on KubeConfig field. - properties: - kubeConfig: - description: |- - kubeConfig contains kube config file data which describes how to access the remote webhook service. - For further details, see: - https://kubernetes.io/docs/reference/access-authn-authz/authentication/#webhook-token-authentication - The key "kubeConfig" is used to locate the data. - If the secret or expected key is not found, the webhook is not honored. - If the specified kube config data is not valid, the webhook is not honored. - The namespace for this secret is determined by the point of use. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - type: array - x-kubernetes-list-type: atomic - type: object - featureGate: - description: FeatureGate holds cluster-wide information about - feature gates. - properties: - customNoUpgrade: - description: |- - customNoUpgrade allows the enabling or disabling of any feature. Turning this feature set on IS NOT SUPPORTED, CANNOT BE UNDONE, and PREVENTS UPGRADES. - Because of its nature, this setting cannot be validated. If you have any typos or accidentally apply invalid combinations - your cluster may fail in an unrecoverable way. featureSet must equal "CustomNoUpgrade" must be set to use this field. - nullable: true - properties: - disabled: - description: disabled is a list of all feature gates that - you want to force off - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - enabled: - description: enabled is a list of all feature gates that - you want to force on - items: - description: FeatureGateName is a string to enforce - patterns on the name of a FeatureGate - pattern: ^([A-Za-z0-9-]+\.)*[A-Za-z0-9-]+\.?$ - type: string - type: array - type: object - featureSet: - description: |- - featureSet changes the list of features in the cluster. The default is empty. Be very careful adjusting this setting. - Turning on or off features may cause irreversible changes in your cluster which cannot be undone. - type: string - x-kubernetes-validations: - - message: CustomNoUpgrade may not be changed - rule: 'oldSelf == ''CustomNoUpgrade'' ? self == ''CustomNoUpgrade'' - : true' - - message: TechPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''TechPreviewNoUpgrade'' ? self == ''TechPreviewNoUpgrade'' - : true' - - message: DevPreviewNoUpgrade may not be changed - rule: 'oldSelf == ''DevPreviewNoUpgrade'' ? self == ''DevPreviewNoUpgrade'' - : true' - type: object - image: - description: |- - Image governs policies related to imagestream imports and runtime configuration - for external registries. It allows cluster admins to configure which registries - OpenShift is allowed to import images from, extra CA trust bundles for external - registries, and policies to block or allow registry hostnames. - When exposing OpenShift's image registry to the public, this also lets cluster - admins specify the external hostname. - properties: - additionalTrustedCA: - description: |- - additionalTrustedCA is a reference to a ConfigMap containing additional CAs that - should be trusted during imagestream import, pod image pull, build image pull, and - imageregistry pullthrough. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - allowedRegistriesForImport: - description: |- - allowedRegistriesForImport limits the container image registries that normal users may import - images from. Set this list to the registries that you trust to contain valid Docker - images and that you want applications to be able to import from. Users with - permission to create Images or ImageStreamMappings via the API are not affected by - this policy - typically only administrators or system integrations will have those - permissions. - items: - description: |- - RegistryLocation contains a location of the registry specified by the registry domain - name. The domain name might include wildcards, like '*' or '??'. - properties: - domainName: - description: |- - domainName specifies a domain name for the registry - In case the registry use non-standard (80 or 443) port, the port should be included - in the domain name as well. - type: string - insecure: - description: |- - insecure indicates whether the registry is secure (https) or insecure (http) - By default (if not specified) the registry is assumed as secure. - type: boolean - type: object - type: array - externalRegistryHostnames: - description: |- - externalRegistryHostnames provides the hostnames for the default external image - registry. The external hostname should be set only when the image registry - is exposed externally. The first value is used in 'publicDockerImageRepository' - field in ImageStreams. The value must be in "hostname[:port]" format. - items: - type: string - type: array - registrySources: - description: |- - registrySources contains configuration that determines how the container runtime - should treat individual registries when accessing images for builds+pods. (e.g. - whether or not to allow insecure access). It does not contain configuration for the - internal cluster registry. - properties: - allowedRegistries: - description: |- - allowedRegistries are the only registries permitted for image pull and push actions. All other registries are denied. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - blockedRegistries: - description: |- - blockedRegistries cannot be used for image pull and push actions. All other registries are permitted. - - Only one of BlockedRegistries or AllowedRegistries may be set. - items: - type: string - type: array - containerRuntimeSearchRegistries: - description: |- - containerRuntimeSearchRegistries are registries that will be searched when pulling images that do not have fully qualified - domains in their pull specs. Registries will be searched in the order provided in the list. - Note: this search list only works with the container runtime, i.e CRI-O. Will NOT work with builds or imagestream imports. - format: hostname - items: - type: string - minItems: 1 - type: array - x-kubernetes-list-type: set - insecureRegistries: - description: insecureRegistries are registries which do - not have a valid TLS certificates or only support HTTP - connections. - items: - type: string - type: array - type: object - type: object - ingress: - description: |- - Ingress holds cluster-wide information about ingress, including the default ingress domain - used for routes. - properties: - appsDomain: - description: |- - appsDomain is an optional domain to use instead of the one specified - in the domain field when a Route is created without specifying an explicit - host. If appsDomain is nonempty, this value is used to generate default - host values for Route. Unlike domain, appsDomain may be modified after - installation. - This assumes a new ingresscontroller has been setup with a wildcard - certificate. - type: string - componentRoutes: - description: |- - componentRoutes is an optional list of routes that are managed by OpenShift components - that a cluster-admin is able to configure the hostname and serving certificate for. - The namespace and name of each route in this list should match an existing entry in the - status.componentRoutes list. - - To determine the set of configurable Routes, look at namespace and name of entries in the - .status.componentRoutes list, where participating operators write the status of - configurable routes. - items: - description: ComponentRouteSpec allows for configuration - of a route's hostname and serving certificate. - properties: - hostname: - description: hostname is the hostname that should be - used by the route. - pattern: ^([a-zA-Z0-9\p{S}\p{L}]((-?[a-zA-Z0-9\p{S}\p{L}]{0,62})?)|([a-zA-Z0-9\p{S}\p{L}](([a-zA-Z0-9-\p{S}\p{L}]{0,61}[a-zA-Z0-9\p{S}\p{L}])?)(\.)){1,}([a-zA-Z\p{L}]){2,63})$|^(([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})[\.]){0,}([a-z0-9][-a-z0-9]{0,61}[a-z0-9]|[a-z0-9]{1,63})$ - type: string - name: - description: |- - name is the logical name of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 256 - minLength: 1 - type: string - namespace: - description: |- - namespace is the namespace of the route to customize. - - The namespace and name of this componentRoute must match a corresponding - entry in the list of status.componentRoutes if the route is to be customized. - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - servingCertKeyPairSecret: - description: |- - servingCertKeyPairSecret is a reference to a secret of type `kubernetes.io/tls` in the openshift-config namespace. - The serving cert/key pair must match and will be used by the operator to fulfill the intent of serving with this name. - If the custom hostname uses the default routing suffix of the cluster, - the Secret specification for a serving certificate will not be needed. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - required: - - hostname - - name - - namespace - type: object - type: array - x-kubernetes-list-map-keys: - - namespace - - name - x-kubernetes-list-type: map - domain: - description: |- - domain is used to generate a default host name for a route when the - route's host name is empty. The generated host name will follow this - pattern: "..". - - It is also used as the default wildcard domain suffix for ingress. The - default ingresscontroller domain will follow this pattern: "*.". - - Once set, changing domain is not currently supported. - type: string - loadBalancer: - description: |- - loadBalancer contains the load balancer details in general which are not only specific to the underlying infrastructure - provider of the current cluster and are required for Ingress Controller to work on OpenShift. - properties: - platform: - description: |- - platform holds configuration specific to the underlying - infrastructure provider for the ingress load balancers. - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - properties: - aws: - description: aws contains settings specific to the - Amazon Web Services infrastructure provider. - properties: - type: - description: |- - type allows user to set a load balancer type. - When this field is set the default ingresscontroller will get created using the specified LBType. - If this field is not set then the default ingress controller of LBType Classic will be created. - Valid values are: - - * "Classic": A Classic Load Balancer that makes routing decisions at either - the transport layer (TCP/SSL) or the application layer (HTTP/HTTPS). See - the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#clb - - * "NLB": A Network Load Balancer that makes routing decisions at the - transport layer (TCP/SSL). See the following for additional details: - - https://docs.aws.amazon.com/AmazonECS/latest/developerguide/load-balancer-types.html#nlb - enum: - - NLB - - Classic - type: string - required: - - type - type: object - type: - description: |- - type is the underlying infrastructure provider for the cluster. - Allowed values are "AWS", "Azure", "BareMetal", "GCP", "Libvirt", - "OpenStack", "VSphere", "oVirt", "KubeVirt", "EquinixMetal", "PowerVS", - "AlibabaCloud", "Nutanix" and "None". Individual components may not support all platforms, - and must handle unrecognized platforms as None if they do not support that platform. - enum: - - "" - - AWS - - Azure - - BareMetal - - GCP - - Libvirt - - OpenStack - - None - - VSphere - - oVirt - - IBMCloud - - KubeVirt - - EquinixMetal - - PowerVS - - AlibabaCloud - - Nutanix - - External - type: string - type: object - type: object - requiredHSTSPolicies: - description: |- - requiredHSTSPolicies specifies HSTS policies that are required to be set on newly created or updated routes - matching the domainPattern/s and namespaceSelector/s that are specified in the policy. - Each requiredHSTSPolicy must have at least a domainPattern and a maxAge to validate a route HSTS Policy route - annotation, and affect route admission. - - A candidate route is checked for HSTS Policies if it has the HSTS Policy route annotation: - "haproxy.router.openshift.io/hsts_header" - E.g. haproxy.router.openshift.io/hsts_header: max-age=31536000;preload;includeSubDomains - - - For each candidate route, if it matches a requiredHSTSPolicy domainPattern and optional namespaceSelector, - then the maxAge, preloadPolicy, and includeSubdomainsPolicy must be valid to be admitted. Otherwise, the route - is rejected. - - The first match, by domainPattern and optional namespaceSelector, in the ordering of the RequiredHSTSPolicies - determines the route's admission status. - - If the candidate route doesn't match any requiredHSTSPolicy domainPattern and optional namespaceSelector, - then it may use any HSTS Policy annotation. - - The HSTS policy configuration may be changed after routes have already been created. An update to a previously - admitted route may then fail if the updated route does not conform to the updated HSTS policy configuration. - However, changing the HSTS policy configuration will not cause a route that is already admitted to stop working. - - Note that if there are no RequiredHSTSPolicies, any HSTS Policy annotation on the route is valid. - items: - properties: - domainPatterns: - description: |- - domainPatterns is a list of domains for which the desired HSTS annotations are required. - If domainPatterns is specified and a route is created with a spec.host matching one of the domains, - the route must specify the HSTS Policy components described in the matching RequiredHSTSPolicy. - - The use of wildcards is allowed like this: *.foo.com matches everything under foo.com. - foo.com only matches foo.com, so to cover foo.com and everything under it, you must specify *both*. - items: - type: string - minItems: 1 - type: array - includeSubDomainsPolicy: - description: |- - includeSubDomainsPolicy means the HSTS Policy should apply to any subdomains of the host's - domain name. Thus, for the host bar.foo.com, if includeSubDomainsPolicy was set to RequireIncludeSubDomains: - - the host app.bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host bar.foo.com would inherit the HSTS Policy of bar.foo.com - - the host foo.com would NOT inherit the HSTS Policy of bar.foo.com - - the host def.foo.com would NOT inherit the HSTS Policy of bar.foo.com - enum: - - RequireIncludeSubDomains - - RequireNoIncludeSubDomains - - NoOpinion - type: string - maxAge: - description: |- - maxAge is the delta time range in seconds during which hosts are regarded as HSTS hosts. - If set to 0, it negates the effect, and hosts are removed as HSTS hosts. - If set to 0 and includeSubdomains is specified, all subdomains of the host are also removed as HSTS hosts. - maxAge is a time-to-live value, and if this policy is not refreshed on a client, the HSTS - policy will eventually expire on that client. - properties: - largestMaxAge: - description: |- - The largest allowed value (in seconds) of the RequiredHSTSPolicy max-age - This value can be left unspecified, in which case no upper limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - smallestMaxAge: - description: |- - The smallest allowed value (in seconds) of the RequiredHSTSPolicy max-age - Setting max-age=0 allows the deletion of an existing HSTS header from a host. This is a necessary - tool for administrators to quickly correct mistakes. - This value can be left unspecified, in which case no lower limit is enforced. - format: int32 - maximum: 2147483647 - minimum: 0 - type: integer - type: object - namespaceSelector: - description: |- - namespaceSelector specifies a label selector such that the policy applies only to those routes that - are in namespaces with labels that match the selector, and are in one of the DomainPatterns. - Defaults to the empty LabelSelector, which matches everything. - properties: - matchExpressions: - description: matchExpressions is a list of label - selector requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the - selector applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - preloadPolicy: - description: |- - preloadPolicy directs the client to include hosts in its host preload list so that - it never needs to do an initial load to get the HSTS header (note that this is not defined - in RFC 6797 and is therefore client implementation-dependent). - enum: - - RequirePreload - - RequireNoPreload - - NoOpinion - type: string - required: - - domainPatterns - type: object - type: array - type: object - network: - description: |- - Network holds cluster-wide information about the network. It is used to configure the desired network configuration, such as: IP address pools for services/pod IPs, network plugin, etc. - Please view network.spec for an explanation on what applies when configuring this resource. - properties: - clusterNetwork: - description: |- - IP address pool to use for pod IPs. - This field is immutable after installation. - items: - description: |- - ClusterNetworkEntry is a contiguous block of IP addresses from which pod IPs - are allocated. - properties: - cidr: - description: The complete block for pod IPs. - type: string - hostPrefix: - description: |- - The size (prefix) of block to allocate to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - minimum: 0 - type: integer - type: object - type: array - x-kubernetes-list-type: atomic - externalIP: - description: |- - externalIP defines configuration for controllers that - affect Service.ExternalIP. If nil, then ExternalIP is - not allowed to be set. - properties: - autoAssignCIDRs: - description: |- - autoAssignCIDRs is a list of CIDRs from which to automatically assign - Service.ExternalIP. These are assigned when the service is of type - LoadBalancer. In general, this is only useful for bare-metal clusters. - In Openshift 3.x, this was misleadingly called "IngressIPs". - Automatically assigned External IPs are not affected by any - ExternalIPPolicy rules. - Currently, only one entry may be provided. - items: - type: string - type: array - x-kubernetes-list-type: atomic - policy: - description: |- - policy is a set of restrictions applied to the ExternalIP field. - If nil or empty, then ExternalIP is not allowed to be set. - properties: - allowedCIDRs: - description: allowedCIDRs is the list of allowed CIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - rejectedCIDRs: - description: |- - rejectedCIDRs is the list of disallowed CIDRs. These take precedence - over allowedCIDRs. - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkDiagnostics: - description: |- - networkDiagnostics defines network diagnostics configuration. - - Takes precedence over spec.disableNetworkDiagnostics in network.operator.openshift.io. - If networkDiagnostics is not specified or is empty, - and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, - the network diagnostics feature will be disabled. - properties: - mode: - description: |- - mode controls the network diagnostics mode - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is All. - enum: - - "" - - All - - Disabled - type: string - sourcePlacement: - description: |- - sourcePlacement controls the scheduling of network diagnostics source deployment - - See NetworkDiagnosticsSourcePlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is an empty list. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - targetPlacement: - description: |- - targetPlacement controls the scheduling of network diagnostics target daemonset - - See NetworkDiagnosticsTargetPlacement for more details about default values. - properties: - nodeSelector: - additionalProperties: - type: string - description: |- - nodeSelector is the node selector applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `kubernetes.io/os: linux`. - type: object - tolerations: - description: |- - tolerations is a list of tolerations applied to network diagnostics components - - When omitted, this means the user has no opinion and the platform is left - to choose reasonable defaults. These defaults are subject to change over time. - The current default is `- operator: "Exists"` which means that all taints are tolerated. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - type: object - type: object - networkType: - description: |- - NetworkType is the plugin that is to be deployed (e.g. OpenShiftSDN). - This should match a value that the cluster-network-operator understands, - or else no networking will be installed. - Currently supported values are: - - OpenShiftSDN - This field is immutable after installation. - type: string - serviceNetwork: - description: |- - IP address pool for services. - Currently, we only support a single entry here. - This field is immutable after installation. - items: - type: string - type: array - x-kubernetes-list-type: atomic - serviceNodePortRange: - description: |- - The port range allowed for Services of type NodePort. - If not specified, the default of 30000-32767 will be used. - Such Services without a NodePort specified will have one - automatically allocated from this range. - This parameter can be updated after the cluster is - installed. - pattern: ^([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])-([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])$ - type: string - type: object - x-kubernetes-validations: - - message: cannot set networkDiagnostics.sourcePlacement and networkDiagnostics.targetPlacement - when networkDiagnostics.mode is Disabled - rule: '!has(self.networkDiagnostics) || !has(self.networkDiagnostics.mode) - || self.networkDiagnostics.mode!=''Disabled'' || !has(self.networkDiagnostics.sourcePlacement) - && !has(self.networkDiagnostics.targetPlacement)' - oauth: - description: |- - OAuth holds cluster-wide information about OAuth. - It is used to configure the integrated OAuth server. - This configuration is only honored when the top level Authentication config has type set to IntegratedOAuth. - properties: - identityProviders: - description: |- - identityProviders is an ordered list of ways for a user to identify themselves. - When this list is empty, no identities are provisioned for users. - items: - description: IdentityProvider provides identities for users - authenticating using credentials - properties: - basicAuth: - description: basicAuth contains configuration options - for the BasicAuth IdP - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - github: - description: github enables user authentication using - GitHub credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - This can only be configured when hostname is set to a non-empty value. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostname: - description: |- - hostname is the optional domain (e.g. "mycompany.com") for use with a hosted instance of - GitHub Enterprise. - It must match the GitHub Enterprise settings value configured at /setup/settings#hostname. - type: string - organizations: - description: organizations optionally restricts - which organizations are allowed to log in - items: - type: string - type: array - teams: - description: teams optionally restricts which teams - are allowed to log in. Format is /. - items: - type: string - type: array - type: object - gitlab: - description: gitlab enables user authentication using - GitLab credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the oauth server base URL - type: string - type: object - google: - description: google enables user authentication using - Google credentials - properties: - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - hostedDomain: - description: hostedDomain is the optional Google - App domain (e.g. "mycompany.com") to restrict - logins to - type: string - type: object - htpasswd: - description: htpasswd enables user authentication using - an HTPasswd file to validate credentials - properties: - fileData: - description: |- - fileData is a required reference to a secret by name containing the data to use as the htpasswd file. - The key "htpasswd" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - If the specified htpasswd data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - type: object - keystone: - description: keystone enables user authentication using - keystone password credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - domainName: - description: domainName is required for keystone - v3 - type: string - tlsClientCert: - description: |- - tlsClientCert is an optional reference to a secret by name that contains the - PEM-encoded TLS client certificate to present when connecting to the server. - The key "tls.crt" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - tlsClientKey: - description: |- - tlsClientKey is an optional reference to a secret by name that contains the - PEM-encoded TLS private key for the client certificate referenced in tlsClientCert. - The key "tls.key" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - If the specified certificate data is not valid, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - url: - description: url is the remote URL to connect to - type: string - type: object - ldap: - description: ldap enables user authentication using - LDAP credentials - properties: - attributes: - description: attributes maps LDAP attributes to - identities - properties: - email: - description: |- - email is the list of attributes whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - id: - description: |- - id is the list of attributes whose values should be used as the user ID. Required. - First non-empty attribute is used. At least one attribute is required. If none of the listed - attribute have a value, authentication fails. - LDAP standard identity attribute is "dn" - items: - type: string - type: array - name: - description: |- - name is the list of attributes whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - LDAP standard display name attribute is "cn" - items: - type: string - type: array - preferredUsername: - description: |- - preferredUsername is the list of attributes whose values should be used as the preferred username. - LDAP standard login attribute is "uid" - items: - type: string - type: array - type: object - bindDN: - description: bindDN is an optional DN to bind with - during the search phase. - type: string - bindPassword: - description: |- - bindPassword is an optional reference to a secret by name - containing a password to bind with during the search phase. - The key "bindPassword" is used to locate the data. - If specified and the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - insecure: - description: |- - insecure, if true, indicates the connection should not use TLS - WARNING: Should not be set to `true` with the URL scheme "ldaps://" as "ldaps://" URLs always - attempt to connect using TLS, even when `insecure` is set to `true` - When `true`, "ldap://" URLS connect insecurely. When `false`, "ldap://" URLs are upgraded to - a TLS connection using StartTLS as specified in https://tools.ietf.org/html/rfc2830. - type: boolean - url: - description: |- - url is an RFC 2255 URL which specifies the LDAP search parameters to use. - The syntax of the URL is: - ldap://host:port/basedn?attribute?scope?filter - type: string - type: object - mappingMethod: - description: |- - mappingMethod determines how identities from this provider are mapped to users - Defaults to "claim" - type: string - name: - description: |- - name is used to qualify the identities returned by this provider. - - It MUST be unique and not shared by any other identity provider used - - It MUST be a valid path segment: name cannot equal "." or ".." or contain "/" or "%" or ":" - Ref: https://godoc.org/github.com/openshift/origin/pkg/user/apis/user/validation#ValidateIdentityProviderName - type: string - openID: - description: openID enables user authentication using - OpenID credentials - properties: - ca: - description: |- - ca is an optional reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - The key "ca.crt" is used to locate the data. - If specified and the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - If empty, the default system roots are used. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - claims: - description: claims mappings - properties: - email: - description: |- - email is the list of claims whose values should be used as the email address. Optional. - If unspecified, no email is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - groups: - description: |- - groups is the list of claims value of which should be used to synchronize groups - from the OIDC provider to OpenShift for the user. - If multiple claims are specified, the first one with a non-empty value is used. - items: - description: |- - OpenIDClaim represents a claim retrieved from an OpenID provider's tokens or userInfo - responses - minLength: 1 - type: string - type: array - x-kubernetes-list-type: atomic - name: - description: |- - name is the list of claims whose values should be used as the display name. Optional. - If unspecified, no display name is set for the identity - items: - type: string - type: array - x-kubernetes-list-type: atomic - preferredUsername: - description: |- - preferredUsername is the list of claims whose values should be used as the preferred username. - If unspecified, the preferred username is determined from the value of the sub claim - items: - type: string - type: array - x-kubernetes-list-type: atomic - type: object - clientID: - description: clientID is the oauth client ID - type: string - clientSecret: - description: |- - clientSecret is a required reference to the secret by name containing the oauth client secret. - The key "clientSecret" is used to locate the data. - If the secret or expected key is not found, the identity provider is not honored. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced secret - type: string - required: - - name - type: object - extraAuthorizeParameters: - additionalProperties: - type: string - description: extraAuthorizeParameters are any custom - parameters to add to the authorize request. - type: object - extraScopes: - description: extraScopes are any scopes to request - in addition to the standard "openid" scope. - items: - type: string - type: array - issuer: - description: |- - issuer is the URL that the OpenID Provider asserts as its Issuer Identifier. - It must use the https scheme with no query or fragment component. - type: string - type: object - requestHeader: - description: requestHeader enables user authentication - using request header credentials - properties: - ca: - description: |- - ca is a required reference to a config map by name containing the PEM-encoded CA bundle. - It is used as a trust anchor to validate the TLS certificate presented by the remote server. - Specifically, it allows verification of incoming requests to prevent header spoofing. - The key "ca.crt" is used to locate the data. - If the config map or expected key is not found, the identity provider is not honored. - If the specified ca data is not valid, the identity provider is not honored. - The namespace for this config map is openshift-config. - properties: - name: - description: name is the metadata.name of the - referenced config map - type: string - required: - - name - type: object - challengeURL: - description: |- - challengeURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect WWW-Authenticate challenges will be - redirected here. - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when challenge is set to true. - type: string - clientCommonNames: - description: |- - clientCommonNames is an optional list of common names to require a match from. If empty, any - client certificate validated against the clientCA bundle is considered authoritative. - items: - type: string - type: array - emailHeaders: - description: emailHeaders is the set of headers - to check for the email address - items: - type: string - type: array - headers: - description: headers is the set of headers to check - for identity information - items: - type: string - type: array - loginURL: - description: |- - loginURL is a URL to redirect unauthenticated /authorize requests to - Unauthenticated requests from OAuth clients which expect interactive logins will be redirected here - ${url} is replaced with the current URL, escaped to be safe in a query parameter - https://www.example.com/sso-login?then=${url} - ${query} is replaced with the current query string - https://www.example.com/auth-proxy/oauth/authorize?${query} - Required when login is set to true. - type: string - nameHeaders: - description: nameHeaders is the set of headers to - check for the display name - items: - type: string - type: array - preferredUsernameHeaders: - description: preferredUsernameHeaders is the set - of headers to check for the preferred username - items: - type: string - type: array - type: object - type: - description: type identifies the identity provider type - for this entry. - type: string - type: object - type: array - x-kubernetes-list-type: atomic - templates: - description: templates allow you to customize pages like the - login page. - properties: - error: - description: |- - error is the name of a secret that specifies a go template to use to render error pages - during the authentication or grant flow. - The key "errors.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default error page is used. - If the specified template is not valid, the default error page is used. - If unspecified, the default error page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - login: - description: |- - login is the name of a secret that specifies a go template to use to render the login page. - The key "login.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default login page is used. - If the specified template is not valid, the default login page is used. - If unspecified, the default login page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - providerSelection: - description: |- - providerSelection is the name of a secret that specifies a go template to use to render - the provider selection page. - The key "providers.html" is used to locate the template data. - If specified and the secret or expected key is not found, the default provider selection page is used. - If the specified template is not valid, the default provider selection page is used. - If unspecified, the default provider selection page is used. - The namespace for this secret is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - secret - type: string - required: - - name - type: object - type: object - tokenConfig: - description: tokenConfig contains options for authorization - and access tokens - properties: - accessTokenInactivityTimeout: - description: |- - accessTokenInactivityTimeout defines the token inactivity timeout - for tokens granted by any client. - The value represents the maximum amount of time that can occur between - consecutive uses of the token. Tokens become invalid if they are not - used within this temporal window. The user will need to acquire a new - token to regain access once a token times out. Takes valid time - duration string such as "5m", "1.5h" or "2h45m". The minimum allowed - value for duration is 300s (5 minutes). If the timeout is configured - per client, then that value takes precedence. If the timeout value is - not specified and the client does not override the value, then tokens - are valid until their lifetime. - - WARNING: existing tokens' timeout will not be affected (lowered) by changing this value - type: string - accessTokenInactivityTimeoutSeconds: - description: 'accessTokenInactivityTimeoutSeconds - DEPRECATED: - setting this field has no effect.' - format: int32 - type: integer - accessTokenMaxAgeSeconds: - description: accessTokenMaxAgeSeconds defines the maximum - age of access tokens - format: int32 - type: integer - type: object - type: object - x-kubernetes-validations: - - message: spec.configuration.oauth.tokenConfig.accessTokenInactivityTimeout - minimum acceptable token timeout value is 300 seconds - rule: '!has(self.tokenConfig) || !has(self.tokenConfig.accessTokenInactivityTimeout) - || duration(self.tokenConfig.accessTokenInactivityTimeout).getSeconds() - >= 300' - operatorhub: - description: |- - OperatorHub specifies the configuration for the Operator Lifecycle Manager in the HostedCluster. This is only configured at deployment time but the controller are not reconcilling over it. - The OperatorHub configuration will be constantly reconciled if catalog placement is management, but only on cluster creation otherwise. - properties: - disableAllDefaultSources: - description: |- - disableAllDefaultSources allows you to disable all the default hub - sources. If this is true, a specific entry in sources can be used to - enable a default source. If this is false, a specific entry in - sources can be used to disable or enable a default source. - type: boolean - sources: - description: |- - sources is the list of default hub sources and their configuration. - If the list is empty, it implies that the default hub sources are - enabled on the cluster unless disableAllDefaultSources is true. - If disableAllDefaultSources is true and sources is not empty, - the configuration present in sources will take precedence. The list of - default hub sources and their current state will always be reflected in - the status block. - items: - description: HubSource is used to specify the hub source - and its configuration - properties: - disabled: - description: disabled is used to disable a default hub - source on cluster - type: boolean - name: - description: name is the name of one of the default - hub sources - maxLength: 253 - minLength: 1 - type: string - type: object - type: array - type: object - proxy: - description: Proxy holds cluster-wide information on how to configure - default proxies for the cluster. - properties: - httpProxy: - description: httpProxy is the URL of the proxy for HTTP requests. Empty - means unset and will not result in an env var. - type: string - httpsProxy: - description: httpsProxy is the URL of the proxy for HTTPS - requests. Empty means unset and will not result in an env - var. - type: string - noProxy: - description: |- - noProxy is a comma-separated list of hostnames and/or CIDRs and/or IPs for which the proxy should not be used. - Empty means unset and will not result in an env var. - type: string - readinessEndpoints: - description: readinessEndpoints is a list of endpoints used - to verify readiness of the proxy. - items: - type: string - type: array - trustedCA: - description: |- - trustedCA is a reference to a ConfigMap containing a CA certificate bundle. - The trustedCA field should only be consumed by a proxy validator. The - validator is responsible for reading the certificate bundle from the required - key "ca-bundle.crt", merging it with the system default trust bundle, - and writing the merged trust bundle to a ConfigMap named "trusted-ca-bundle" - in the "openshift-config-managed" namespace. Clients that expect to make - proxy connections must use the trusted-ca-bundle for all HTTPS requests to - the proxy, and may use the trusted-ca-bundle for non-proxy HTTPS requests as - well. - - The namespace for the ConfigMap referenced by trustedCA is - "openshift-config". Here is an example ConfigMap (in yaml): - - apiVersion: v1 - kind: ConfigMap - metadata: - name: user-ca-bundle - namespace: openshift-config - data: - ca-bundle.crt: | - -----BEGIN CERTIFICATE----- - Custom CA certificate bundle. - -----END CERTIFICATE----- - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - type: object - scheduler: - description: |- - Scheduler holds cluster-wide config information to run the Kubernetes Scheduler - and influence its placement decisions. The canonical name for this config is `cluster`. - properties: - defaultNodeSelector: - description: |- - defaultNodeSelector helps set the cluster-wide default node selector to - restrict pod placement to specific nodes. This is applied to the pods - created in all namespaces and creates an intersection with any existing - nodeSelectors already set on a pod, additionally constraining that pod's selector. - For example, - defaultNodeSelector: "type=user-node,region=east" would set nodeSelector - field in pod spec to "type=user-node,region=east" to all pods created - in all namespaces. Namespaces having project-wide node selectors won't be - impacted even if this field is set. This adds an annotation section to - the namespace. - For example, if a new namespace is created with - node-selector='type=user-node,region=east', - the annotation openshift.io/node-selector: type=user-node,region=east - gets added to the project. When the openshift.io/node-selector annotation - is set on the project the value is used in preference to the value we are setting - for defaultNodeSelector field. - For instance, - openshift.io/node-selector: "type=user-node,region=west" means - that the default of "type=user-node,region=east" set in defaultNodeSelector - would not be applied. - type: string - mastersSchedulable: - description: |- - MastersSchedulable allows masters nodes to be schedulable. When this flag is - turned on, all the master nodes in the cluster will be made schedulable, - so that workload pods can run on them. The default value for this field is false, - meaning none of the master nodes are schedulable. - Important Note: Once the workload pods start running on the master nodes, - extreme care must be taken to ensure that cluster-critical control plane components - are not impacted. - Please turn on this field after doing due diligence. - type: boolean - policy: - description: |- - DEPRECATED: the scheduler Policy API has been deprecated and will be removed in a future release. - policy is a reference to a ConfigMap containing scheduler policy which has - user specified predicates and priorities. If this ConfigMap is not available - scheduler will default to use DefaultAlgorithmProvider. - The namespace for this configmap is openshift-config. - properties: - name: - description: name is the metadata.name of the referenced - config map - type: string - required: - - name - type: object - profile: - description: |- - profile sets which scheduling profile should be set in order to configure scheduling - decisions for new pods. - - Valid values are "LowNodeUtilization", "HighNodeUtilization", "NoScoring" - Defaults to "LowNodeUtilization" - enum: - - "" - - LowNodeUtilization - - HighNodeUtilization - - NoScoring - type: string - profileCustomizations: - description: profileCustomizations contains configuration - for modifying the default behavior of existing scheduler - profiles. - properties: - dynamicResourceAllocation: - description: |- - dynamicResourceAllocation allows to enable or disable dynamic resource allocation within the scheduler. - Dynamic resource allocation is an API for requesting and sharing resources between pods and containers inside a pod. - Third-party resource drivers are responsible for tracking and allocating resources. - Different kinds of resources support arbitrary parameters for defining requirements and initialization. - Valid values are Enabled, Disabled and omitted. - When omitted, this means no opinion and the platform is left to choose a reasonable default, - which is subject to change over time. - The current default is Disabled. - enum: - - "" - - Enabled - - Disabled - type: string - type: object - type: object - type: object - controlPlaneReleaseImage: - description: |- - ControlPlaneReleaseImage specifies the desired OCP release payload for - control plane components running on the management cluster. - If not defined, ReleaseImage is used - type: string - controllerAvailabilityPolicy: - default: SingleReplica - description: |- - ControllerAvailabilityPolicy specifies the availability policy applied to - critical control plane components. The default value is SingleReplica. - type: string - x-kubernetes-validations: - - message: ControllerAvailabilityPolicy is immutable - rule: self == oldSelf - dns: - description: DNSSpec specifies the DNS configuration in the cluster. - properties: - baseDomain: - description: BaseDomain is the base domain of the cluster. - type: string - baseDomainPrefix: - description: |- - BaseDomainPrefix is the base domain prefix of the cluster. - defaults to clusterName if not set. Set it to "" if you don't want a prefix to be prepended to BaseDomain. - type: string - privateZoneID: - description: |- - PrivateZoneID is the Hosted Zone ID where all the DNS records that are only - available internally to the cluster exist. - type: string - publicZoneID: - description: |- - PublicZoneID is the Hosted Zone ID where all the DNS records that are - publicly accessible to the internet exist. - type: string - required: - - baseDomain - type: object - etcd: - description: |- - Etcd contains metadata about the etcd cluster the hypershift managed Openshift control plane components - use to store data. - properties: - managed: - description: Managed specifies the behavior of an etcd cluster - managed by HyperShift. - properties: - storage: - description: Storage specifies how etcd data is persisted. - properties: - persistentVolume: - description: |- - PersistentVolume is the configuration for PersistentVolume etcd storage. - With this implementation, a PersistentVolume will be allocated for every - etcd member (either 1 or 3 depending on the HostedCluster control plane - availability configuration). - properties: - size: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Size is the minimum size of the data - volume for each etcd member. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - x-kubernetes-validations: - - message: Etcd PV storage size is immutable - rule: self == oldSelf - storageClassName: - description: |- - StorageClassName is the StorageClass of the data volume for each etcd member. - - See https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1. - type: string - type: object - restoreSnapshotURL: - description: |- - RestoreSnapshotURL allows an optional URL to be provided where - an etcd snapshot can be downloaded, for example a pre-signed URL - referencing a storage service. - This snapshot will be restored on initial startup, only when the etcd PV - is empty. - items: - type: string - type: array - x-kubernetes-validations: - - message: RestoreSnapshotURL shouldn't contain more than - 1 entry - rule: self.size() <= 1 - type: - description: Type is the kind of persistent storage implementation - to use for etcd. - enum: - - PersistentVolume - type: string - required: - - type - type: object - required: - - storage - type: object - managementType: - description: ManagementType defines how the etcd cluster is managed. - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: |- - Unmanaged specifies configuration which enables the control plane to - integrate with an eternally managed etcd cluster. - properties: - endpoint: - description: |- - Endpoint is the full etcd cluster client endpoint URL. For example: - - https://etcd-client:2379 - - If the URL uses an HTTPS scheme, the TLS field is required. - pattern: ^https:// - type: string - tls: - description: TLS specifies TLS configuration for HTTPS etcd - client endpoints. - properties: - clientSecret: - description: |- - ClientSecret refers to a secret for client mTLS authentication with the etcd cluster. It - may have the following key/value pairs: - - etcd-client-ca.crt: Certificate Authority value - etcd-client.crt: Client certificate value - etcd-client.key: Client certificate key value - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - clientSecret - type: object - required: - - endpoint - - tls - type: object - required: - - managementType - type: object - fips: - description: FIPS specifies if the nodes for the cluster will be running - in FIPS mode - type: boolean - imageContentSources: - description: ImageContentSources lists sources/repositories for the - release-image content. - items: - description: |- - ImageContentSource specifies image mirrors that can be used by cluster nodes - to pull content. For cluster workloads, if a container image registry host of - the pullspec matches Source then one of the Mirrors are substituted as hosts - in the pullspec and tried in order to fetch the image. - properties: - mirrors: - description: Mirrors are one or more repositories that may also - contain the same images. - items: - type: string - type: array - source: - description: |- - Source is the repository that users refer to, e.g. in image pull - specifications. - type: string - required: - - source - type: object - type: array - infraID: - type: string - infrastructureAvailabilityPolicy: - default: SingleReplica - description: |- - InfrastructureAvailabilityPolicy specifies the availability policy applied - to infrastructure services which run on cluster nodes. The default value is - SingleReplica. - type: string - issuerURL: - description: |- - IssuerURL is an OIDC issuer URL which is used as the issuer in all - ServiceAccount tokens generated by the control plane API server. The - default value is kubernetes.default.svc, which only works for in-cluster - validation. - type: string - kubeconfig: - description: KubeConfig specifies the name and key for the kubeconfig - secret - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - networking: - description: |- - Networking specifies network configuration for the cluster. - Temporarily optional for backward compatibility, required in future releases. - properties: - apiServer: - description: |- - APIServer contains advanced network settings for the API server that affect - how the APIServer is exposed inside a cluster node. - properties: - advertiseAddress: - description: |- - AdvertiseAddress is the address that nodes will use to talk to the API - server. This is an address associated with the loopback adapter of each - node. If not specified, the controller will take default values. - The default values will be set as 172.20.0.1 or fd00::1. - type: string - allowedCIDRBlocks: - description: |- - AllowedCIDRBlocks is an allow list of CIDR blocks that can access the APIServer - If not specified, traffic is allowed from all addresses. - This depends on underlying support by the cloud provider for Service LoadBalancerSourceRanges - items: - pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(3[0-2]|[1-2][0-9]|[0-9]))$ - type: string - type: array - port: - description: |- - Port is the port at which the APIServer is exposed inside a node. Other - pods using host networking cannot listen on this port. - If unset 6443 is used. - This is useful to choose a port other than the default one which might interfere with customer environments e.g. https://github.com/openshift/hypershift/pull/356. - Setting this to 443 is possible only for backward compatibility reasons and it's discouraged. - Doing so, it would result in the controller overriding the KAS endpoint in the guest cluster having a discrepancy with the KAS Pod and potentially causing temporarily network failures. - format: int32 - type: integer - type: object - clusterNetwork: - default: - - cidr: 10.132.0.0/14 - description: ClusterNetwork is the list of IP address pools for - pods. - items: - description: |- - ClusterNetworkEntry is a single IP address block for pod IP blocks. IP blocks - are allocated with size 2^HostSubnetLength. - properties: - cidr: - description: CIDR is the IP block address pool. - type: string - hostPrefix: - description: |- - HostPrefix is the prefix size to allocate to each node from the CIDR. - For example, 24 would allocate 2^8=256 adresses to each node. If this - field is not used by the plugin, it can be left unset. - format: int32 - type: integer - required: - - cidr - type: object - type: array - machineNetwork: - description: MachineNetwork is the list of IP address pools for - machines. - items: - description: MachineNetworkEntry is a single IP address block - for node IP blocks. - properties: - cidr: - description: CIDR is the IP block address pool for machines - within the cluster. - type: string - required: - - cidr - type: object - type: array - networkType: - default: OVNKubernetes - description: NetworkType specifies the SDN provider used for cluster - networking. - enum: - - OpenShiftSDN - - Calico - - OVNKubernetes - - Other - type: string - serviceNetwork: - default: - - cidr: 172.31.0.0/16 - description: |- - ServiceNetwork is the list of IP address pools for services. - NOTE: currently only one entry is supported. - items: - description: ServiceNetworkEntry is a single IP address block - for the service network. - properties: - cidr: - description: CIDR is the IP block address pool for services - within the cluster. - type: string - required: - - cidr - type: object - type: array - required: - - clusterNetwork - - networkType - type: object - nodeSelector: - additionalProperties: - type: string - description: NodeSelector when specified, must be true for the pods - managed by the HostedCluster to be scheduled. - type: object - olmCatalogPlacement: - default: management - description: |- - OLMCatalogPlacement specifies the placement of OLM catalog components. By default, - this is set to management and OLM catalog components are deployed onto the management - cluster. If set to guest, the OLM catalog components will be deployed onto the guest - cluster. - enum: - - management - - guest - type: string - pausedUntil: - description: |- - PausedUntil is a field that can be used to pause reconciliation on a resource. - Either a date can be provided in RFC3339 format or a boolean. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - type: string - platform: - description: |- - PlatformSpec specifies the underlying infrastructure provider for the cluster - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies configuration for agent-based installations. - properties: - agentNamespace: - description: AgentNamespace is the namespace where to search - for Agents for this cluster - type: string - required: - - agentNamespace - type: object - aws: - description: AWS specifies configuration for clusters running - on Amazon Web Services. - properties: - additionalAllowedPrincipals: - description: |- - AdditionalAllowedPrincipals specifies a list of additional allowed principal ARNs - to be added to the hosted control plane's VPC Endpoint Service to enable additional - VPC Endpoint connection requests to be automatically accepted. - See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html - for more details around VPC Endpoint Service allowed principals. - items: - type: string - type: array - cloudProviderConfig: - description: |- - CloudProviderConfig specifies AWS networking configuration for the control - plane. - This is mainly used for cloud provider controller config: - https://github.com/kubernetes/kubernetes/blob/f5be5052e3d0808abb904aebd3218fe4a5c2dd82/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go#L1347-L1364 - properties: - subnet: - description: Subnet is the subnet to use for control plane - cloud resources. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify - an AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - vpc: - description: VPC is the VPC to use for control plane cloud - resources. - type: string - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - type: string - required: - - vpc - type: object - endpointAccess: - default: Public - description: |- - EndpointAccess specifies the publishing scope of cluster endpoints. The - default is Public. - enum: - - Public - - PublicAndPrivate - - Private - type: string - multiArch: - default: false - description: |- - MultiArch specifies whether the Hosted Cluster will be expected to support NodePools with different - CPU architectures, i.e., supporting arm64 NodePools and supporting amd64 NodePools on the same Hosted Cluster. - Deprecated: This field is no longer used. The HyperShift Operator now performs multi-arch validations - automatically despite the platform type. The HyperShift Operator will set HostedCluster.Status.PayloadArch based - on the HostedCluster release image. This field is used by the NodePool controller to validate the - NodePool.Spec.Arch is supported. - type: boolean - region: - description: |- - Region is the AWS region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot AMI for a given release. - type: string - resourceTags: - description: |- - ResourceTags is a list of additional tags to apply to AWS resources created - for the cluster. See - https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rolesRef: - description: |- - RolesRef contains references to various AWS IAM roles required to enable - integrations such as OIDC. - properties: - controlPlaneOperatorARN: - description: "ControlPlaneOperatorARN is an ARN value - referencing a role appropriate for the Control Plane - Operator.\n\nThe following is an example of a valid - policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"arn:aws:route53:::%s\"\n\t\t}\n\t]\n}" - type: string - imageRegistryARN: - description: "ImageRegistryARN is an ARN value referencing - a role appropriate for the Image Registry Operator.\n\nThe - following is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"s3:CreateBucket\",\n\t\t\t\t\"s3:DeleteBucket\",\n\t\t\t\t\"s3:PutBucketTagging\",\n\t\t\t\t\"s3:GetBucketTagging\",\n\t\t\t\t\"s3:PutBucketPublicAccessBlock\",\n\t\t\t\t\"s3:GetBucketPublicAccessBlock\",\n\t\t\t\t\"s3:PutEncryptionConfiguration\",\n\t\t\t\t\"s3:GetEncryptionConfiguration\",\n\t\t\t\t\"s3:PutLifecycleConfiguration\",\n\t\t\t\t\"s3:GetLifecycleConfiguration\",\n\t\t\t\t\"s3:GetBucketLocation\",\n\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\"s3:GetObject\",\n\t\t\t\t\"s3:PutObject\",\n\t\t\t\t\"s3:DeleteObject\",\n\t\t\t\t\"s3:ListBucketMultipartUploads\",\n\t\t\t\t\"s3:AbortMultipartUpload\",\n\t\t\t\t\"s3:ListMultipartUploadParts\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - ingressARN: - description: "The referenced role must have a trust relationship - that allows it to be assumed via web identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ .ProviderName - }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nIngressARN - is an ARN value referencing a role appropriate for the - Ingress Operator.\n\nThe following is an example of - a valid policy document:\n\n{\n\t\"Version\": \"2012-10-17\",\n\t\"Statement\": - [\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"elasticloadbalancing:DescribeLoadBalancers\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"route53:ListHostedZones\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t\t{\n\t\t\t\"Effect\": \"Allow\",\n\t\t\t\"Action\": - [\n\t\t\t\t\"route53:ChangeResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - [\n\t\t\t\t\"arn:aws:route53:::PUBLIC_ZONE_ID\",\n\t\t\t\t\"arn:aws:route53:::PRIVATE_ZONE_ID\"\n\t\t\t]\n\t\t}\n\t]\n}" - type: string - kubeCloudControllerARN: - description: |- - KubeCloudControllerARN is an ARN value referencing a role appropriate for the KCM/KCC. - Source: https://cloud-provider-aws.sigs.k8s.io/prerequisites/#iam-policies - - The following is an example of a valid policy document: - - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribeTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstances", - "ec2:DescribeImages", - "ec2:DescribeRegions", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVolumes", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:DetachVolume", - "ec2:RevokeSecurityGroupIngress", - "ec2:DescribeVpcs", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:CreateServiceLinkedRole", - "kms:DescribeKey" - ], - "Resource": [ - "*" - ], - "Effect": "Allow" - } - ] - } - type: string - networkARN: - description: "NetworkARN is an ARN value referencing a - role appropriate for the Network Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:DescribeInstances\",\n - \ \"ec2:DescribeInstanceStatus\",\n \"ec2:DescribeInstanceTypes\",\n - \ \"ec2:UnassignPrivateIpAddresses\",\n \"ec2:AssignPrivateIpAddresses\",\n - \ \"ec2:UnassignIpv6Addresses\",\n \"ec2:AssignIpv6Addresses\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeNetworkInterfaces\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - nodePoolManagementARN: - description: "NodePoolManagementARN is an ARN value referencing - a role appropriate for the CAPI Controller.\n\nThe following - is an example of a valid policy document:\n\n{\n \"Version\": - \"2012-10-17\",\n \"Statement\": [\n {\n \"Action\": - [\n \"ec2:AssociateRouteTable\",\n \"ec2:AttachInternetGateway\",\n - \ \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateInternetGateway\",\n - \ \"ec2:CreateNatGateway\",\n \"ec2:CreateRoute\",\n - \ \"ec2:CreateRouteTable\",\n \"ec2:CreateSecurityGroup\",\n - \ \"ec2:CreateSubnet\",\n \"ec2:CreateTags\",\n - \ \"ec2:DeleteInternetGateway\",\n \"ec2:DeleteNatGateway\",\n - \ \"ec2:DeleteRouteTable\",\n \"ec2:DeleteSecurityGroup\",\n - \ \"ec2:DeleteSubnet\",\n \"ec2:DeleteTags\",\n - \ \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeAddresses\",\n - \ \"ec2:DescribeAvailabilityZones\",\n \"ec2:DescribeImages\",\n - \ \"ec2:DescribeInstances\",\n \"ec2:DescribeInternetGateways\",\n - \ \"ec2:DescribeNatGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n - \ \"ec2:DescribeNetworkInterfaceAttribute\",\n - \ \"ec2:DescribeRouteTables\",\n \"ec2:DescribeSecurityGroups\",\n - \ \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n - \ \"ec2:DescribeVpcAttribute\",\n \"ec2:DescribeVolumes\",\n - \ \"ec2:DetachInternetGateway\",\n \"ec2:DisassociateRouteTable\",\n - \ \"ec2:DisassociateAddress\",\n \"ec2:ModifyInstanceAttribute\",\n - \ \"ec2:ModifyNetworkInterfaceAttribute\",\n \"ec2:ModifySubnetAttribute\",\n - \ \"ec2:RevokeSecurityGroupIngress\",\n \"ec2:RunInstances\",\n - \ \"ec2:TerminateInstances\",\n \"tag:GetResources\",\n - \ \"ec2:CreateLaunchTemplate\",\n \"ec2:CreateLaunchTemplateVersion\",\n - \ \"ec2:DescribeLaunchTemplates\",\n \"ec2:DescribeLaunchTemplateVersions\",\n - \ \"ec2:DeleteLaunchTemplate\",\n \"ec2:DeleteLaunchTemplateVersions\"\n - \ ],\n \"Resource\": [\n \"*\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n {\n \"Condition\": - {\n \"StringLike\": {\n \"iam:AWSServiceName\": - \"elasticloadbalancing.amazonaws.com\"\n }\n },\n - \ \"Action\": [\n \"iam:CreateServiceLinkedRole\"\n - \ ],\n \"Resource\": [\n \"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\"\n - \ ],\n \"Effect\": \"Allow\"\n },\n {\n \"Action\": - [\n \"iam:PassRole\"\n ],\n \"Resource\": - [\n \"arn:*:iam::*:role/*-worker-role\"\n ],\n - \ \"Effect\": \"Allow\"\n },\n\t {\n\t \t\"Effect\": - \"Allow\",\n\t \t\"Action\": [\n\t \t\t\"kms:Decrypt\",\n\t - \ \t\t\"kms:ReEncrypt\",\n\t \t\t\"kms:GenerateDataKeyWithoutPlainText\",\n\t - \ \t\t\"kms:DescribeKey\"\n\t \t],\n\t \t\"Resource\": - \"*\"\n\t },\n\t {\n\t \t\"Effect\": \"Allow\",\n\t - \ \t\"Action\": [\n\t \t\t\"kms:CreateGrant\"\n\t \t],\n\t - \ \t\"Resource\": \"*\",\n\t \t\"Condition\": {\n\t - \ \t\t\"Bool\": {\n\t \t\t\t\"kms:GrantIsForAWSResource\": - true\n\t \t\t}\n\t \t}\n\t }\n ]\n}" - type: string - storageARN: - description: "StorageARN is an ARN value referencing a - role appropriate for the Storage Operator.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:AttachVolume\",\n\t\t\t\t\"ec2:CreateSnapshot\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"ec2:CreateVolume\",\n\t\t\t\t\"ec2:DeleteSnapshot\",\n\t\t\t\t\"ec2:DeleteTags\",\n\t\t\t\t\"ec2:DeleteVolume\",\n\t\t\t\t\"ec2:DescribeInstances\",\n\t\t\t\t\"ec2:DescribeSnapshots\",\n\t\t\t\t\"ec2:DescribeTags\",\n\t\t\t\t\"ec2:DescribeVolumes\",\n\t\t\t\t\"ec2:DescribeVolumesModifications\",\n\t\t\t\t\"ec2:DetachVolume\",\n\t\t\t\t\"ec2:ModifyVolume\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - type: string - required: - - controlPlaneOperatorARN - - imageRegistryARN - - ingressARN - - kubeCloudControllerARN - - networkARN - - nodePoolManagementARN - - storageARN - type: object - serviceEndpoints: - description: |- - ServiceEndpoints specifies optional custom endpoints which will override - the default service endpoint of specific AWS Services. - - There must be only one ServiceEndpoint for a given service name. - items: - description: |- - AWSServiceEndpoint stores the configuration for services to - override existing defaults of AWS Services. - properties: - name: - description: |- - Name is the name of the AWS service. - This must be provided and cannot be empty. - type: string - url: - description: |- - URL is fully qualified URI with scheme https, that overrides the default generated - endpoint for a client. - This must be provided and cannot be empty. - pattern: ^https:// - type: string - required: - - name - - url - type: object - type: array - sharedVPC: - description: |- - SharedVPC contains fields that must be specified if the HostedCluster must use a VPC that is - created in a different AWS account and is shared with the AWS account where the HostedCluster - will be created. - properties: - localZoneID: - description: |- - LocalZoneID is the ID of the route53 hosted zone for [cluster-name].hypershift.local that is - associated with the HostedCluster's VPC and exists in the VPC owner account. - maxLength: 32 - type: string - rolesRef: - description: |- - RolesRef contains references to roles in the VPC owner account that enable a - HostedCluster on a shared VPC. - properties: - controlPlaneARN: - description: "ControlPlaneARN is an ARN value referencing - the role in the VPC owner account that allows\nthe - control plane operator in the cluster account to - create and manage a VPC endpoint, its\ncorresponding - Security Group, and DNS records in the hypershift - local hosted zone.\n\nThe referenced role must have - a trust relationship that allows it to be assumed - by the\ncontrol plane operator role in the VPC creator - account.\nExample:\n{\n\t \"Version\": \"2012-10-17\",\n\t - \"Statement\": [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t - \t\t\"Effect\": \"Allow\",\n\t \t\t\"Principal\": - {\n\t \t\t\t\"AWS\": \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-control-plane-operator\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"ec2:CreateVpcEndpoint\",\n\t\t\t\t\"ec2:DescribeVpcEndpoints\",\n\t\t\t\t\"ec2:ModifyVpcEndpoint\",\n\t\t\t\t\"ec2:DeleteVpcEndpoints\",\n\t\t\t\t\"ec2:CreateTags\",\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"ec2:CreateSecurityGroup\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupIngress\",\n\t\t\t\t\"ec2:AuthorizeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DeleteSecurityGroup\",\n\t\t\t\t\"ec2:RevokeSecurityGroupIngress\",\n\t\t\t\t\"ec2:RevokeSecurityGroupEgress\",\n\t\t\t\t\"ec2:DescribeSecurityGroups\",\n\t\t\t\t\"ec2:DescribeVpcs\",\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t}\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - ingressARN: - description: "IngressARN is an ARN value referencing - the role in the VPC owner account that allows the\ningress - operator in the cluster account to create and manage - records in the private DNS\nhosted zone.\n\nThe - referenced role must have a trust relationship that - allows it to be assumed by the\ningress operator - role in the VPC creator account.\nExample:\n{\n\t - \"Version\": \"2012-10-17\",\n\t \"Statement\": - [\n\t \t{\n\t \t\t\"Sid\": \"Statement1\",\n\t \t\t\"Effect\": - \"Allow\",\n\t \t\t\"Principal\": {\n\t \t\t\t\"AWS\": - \"arn:aws:iam::[cluster-creator-account-id]:role/[infra-id]-openshift-ingress\"\n\t - \t\t},\n\t \t\t\"Action\": \"sts:AssumeRole\"\n\t - \t}\n\t ]\n}\n\nThe following is an example of the - policy document for this role.\n(Based on https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-shared-vpc-config.html#rosa-sharing-vpc-dns-and-roles_rosa-shared-vpc-config)\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n\t\t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"route53:ListHostedZones\",\n\t\t\t\t\"route53:ListHostedZonesByName\",\n\t\t\t\t\"route53:ChangeTagsForResource\",\n\t\t\t\t\"route53:GetAccountLimit\",\n\t\t\t\t\"route53:GetChange\",\n\t\t\t\t\"route53:GetHostedZone\",\n\t\t\t\t\"route53:ListTagsForResource\",\n\t\t\t\t\"route53:UpdateHostedZoneComment\",\n\t\t\t\t\"tag:GetResources\",\n\t\t\t\t\"tag:UntagResources\"\n\t\t\t\t\"route53:ChangeResourceRecordSets\",\n\t\t\t\t\"route53:ListResourceRecordSets\"\n\t\t\t],\n\t\t\t\"Resource\": - \"*\"\n\t\t},\n\t]\n}" - pattern: ^arn:(aws|aws-cn|aws-us-gov):iam::[0-9]{12}:role\/.*$ - type: string - required: - - controlPlaneARN - - ingressARN - type: object - required: - - localZoneID - - rolesRef - type: object - required: - - region - - rolesRef - type: object - azure: - description: Azure defines azure specific settings - properties: - cloud: - default: AzurePublicCloud - description: 'Cloud is the cloud environment identifier, valid - values could be found here: https://github.com/Azure/go-autorest/blob/4c0e21ca2bbb3251fe7853e6f9df6397f53dd419/autorest/azure/environments.go#L33' - enum: - - AzurePublicCloud - - AzureUSGovernmentCloud - - AzureChinaCloud - - AzureGermanCloud - - AzureStackCloud - type: string - credentials: - description: |- - Credentials is the object containing existing Azure credentials needed for creating and managing cloud - infrastructure resources. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - location: - description: |- - Location is the Azure region in where all the cloud infrastructure resources will be created. - - Example: eastus - type: string - x-kubernetes-validations: - - message: Location is immutable - rule: self == oldSelf - managedIdentities: - description: |- - managedIdentities contains the managed identities needed for HCP control plane and data plane components that - authenticate with Azure's API. - properties: - controlPlane: - description: |- - controlPlane contains the client IDs of all the managed identities on the HCP control plane needing to - authenticate with Azure's API. - properties: - cloudProvider: - description: |- - cloudProvider is a pre-existing managed identity associated with the azure cloud provider, aka cloud controller - manager. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - controlPlaneOperator: - description: controlPlaneOperator is a pre-existing - managed identity associated with the control plane - operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - disk: - description: diskClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - file: - description: fileClientID is a pre-existing managed - identity associated with the azure-disk-controller. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - imageRegistry: - description: imageRegistry is a pre-existing managed - identity associated with the cluster-image-registry-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - ingress: - description: ingress is a pre-existing managed identity - associated with the cluster-ingress-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - managedIdentitiesKeyVault: - description: |- - managedIdentitiesKeyVault contains information on the management cluster's managed identities Azure Key Vault. - This Key Vault is where the managed identities certificates are stored. These certificates are pulled out of the - Key Vault by the Secrets Store CSI driver and mounted into a volume on control plane pods requiring - authentication with Azure API. - - More information on how the Secrets Store CSI driver works to do this can be found here: - https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-driver. - properties: - name: - description: name is the name of the Azure Key - Vault on the management cluster. - type: string - tenantID: - description: tenantID is the tenant ID of the - Azure Key Vault on the management cluster. - type: string - required: - - name - - tenantID - type: object - network: - description: network is a pre-existing managed identity - associated with the cluster-network-operator. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - nodePoolManagement: - description: nodePoolManagement is a pre-existing - managed identity associated with the operator managing - the NodePools. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity - must be a valid UUID. It should be 5 groups - of hyphen separated hexadecimal characters - in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - cloudProvider - - controlPlaneOperator - - disk - - file - - imageRegistry - - ingress - - managedIdentitiesKeyVault - - network - - nodePoolManagement - type: object - required: - - controlPlane - type: object - resourceGroup: - default: default - description: |- - ResourceGroupName is the name of an existing resource group where all cloud resources created by the Hosted - Cluster are to be placed. The resource group is expected to exist under the same subscription as SubscriptionID. - - In ARO HCP, this will be the managed resource group where customer cloud resources will be created. - - Resource group naming requirements can be found here: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.ResourceGroup.Name/. - - Example: if your resource group ID is /subscriptions//resourceGroups/, your - ResourceGroupName is . - pattern: ^[a-zA-Z0-9_()\-\.]{1,89}[a-zA-Z0-9_()\-]$ - type: string - x-kubernetes-validations: - - message: ResourceGroupName is immutable - rule: self == oldSelf - securityGroupID: - description: |- - SecurityGroupID is the ID of an existing security group on the SubnetID. This field is provided as part of the - configuration for the Azure cloud provider, aka Azure cloud controller manager (CCM). This security group is - expected to exist under the same subscription as SubscriptionID. - type: string - x-kubernetes-validations: - - message: SecurityGroupID is immutable - rule: self == oldSelf - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - subscriptionID: - description: SubscriptionID is a unique identifier for an - Azure subscription used to manage resources. - type: string - x-kubernetes-validations: - - message: SubscriptionID is immutable - rule: self == oldSelf - vnetID: - description: |- - VnetID is the ID of an existing VNET to use in creating VMs. The VNET can exist in a different resource group - other than the one specified in ResourceGroupName, but it must exist under the same subscription as - SubscriptionID. - - In ARO HCP, this will be the ID of the customer provided VNET. - - Example: /subscriptions//resourceGroups//providers/Microsoft.Network/virtualNetworks/ - type: string - x-kubernetes-validations: - - message: VnetID is immutable - rule: self == oldSelf - required: - - credentials - - location - - resourceGroup - - securityGroupID - - subnetID - - subscriptionID - - vnetID - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: KubeVirt defines KubeVirt specific settings for cluster - components. - properties: - baseDomainPassthrough: - description: |- - BaseDomainPassthrough toggles whether or not an automatically - generated base domain for the guest cluster should be used that - is a subdomain of the management cluster's *.apps DNS. - - For the KubeVirt platform, the basedomain can be autogenerated using - the *.apps domain of the management/infra hosting cluster - This makes the guest cluster's base domain a subdomain of the - hypershift infra/mgmt cluster's base domain. - - Example: - Infra/Mgmt cluster's DNS - Base: example.com - Cluster: mgmt-cluster.example.com - Apps: *.apps.mgmt-cluster.example.com - KubeVirt Guest cluster's DNS - Base: apps.mgmt-cluster.example.com - Cluster: guest.apps.mgmt-cluster.example.com - Apps: *.apps.guest.apps.mgmt-cluster.example.com - - This is possible using OCP wildcard routes - type: boolean - x-kubernetes-validations: - - message: baseDomainPassthrough is immutable - rule: self == oldSelf - credentials: - description: |- - Credentials defines the client credentials used when creating KubeVirt virtual machines. - Defining credentials is only necessary when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - generateID: - description: |- - GenerateID is used to uniquely apply a name suffix to resources associated with - kubevirt infrastructure resources - maxLength: 11 - type: string - x-kubernetes-validations: - - message: Kubevirt GenerateID is immutable once set - rule: self == oldSelf - storageDriver: - description: |- - StorageDriver defines how the KubeVirt CSI driver exposes StorageClasses on - the infra cluster (hosting the VMs) to the guest cluster. - properties: - manual: - description: |- - Manual is used to explicilty define how the infra storageclasses are - mapped to guest storageclasses - properties: - storageClassMapping: - description: |- - StorageClassMapping maps StorageClasses on the infra cluster hosting - the KubeVirt VMs to StorageClasses that are made available within the - Guest Cluster. - - NOTE: It is possible that not all capablities of an infra cluster's - storageclass will be present for the corresponding guest clusters storageclass. - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestStorageClassName: - description: |- - GuestStorageClassName is the name that the corresponding storageclass will - be called within the guest cluster - type: string - infraStorageClassName: - description: |- - InfraStorageClassName is the name of the infra cluster storage class that - will be exposed to the guest. - type: string - required: - - guestStorageClassName - - infraStorageClassName - type: object - type: array - x-kubernetes-validations: - - message: storageClassMapping is immutable - rule: self == oldSelf - volumeSnapshotClassMapping: - items: - properties: - group: - description: Group contains which group this - mapping belongs to. - type: string - guestVolumeSnapshotClassName: - description: |- - GuestVolumeSnapshotClassName is the name that the corresponding volumeSnapshotClass will - be called within the guest cluster - type: string - infraVolumeSnapshotClassName: - description: |- - InfraStorageClassName is the name of the infra cluster volume snapshot class that - will be exposed to the guest. - type: string - required: - - guestVolumeSnapshotClassName - - infraVolumeSnapshotClassName - type: object - type: array - x-kubernetes-validations: - - message: volumeSnapshotClassMapping is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver.Manual is immutable - rule: self == oldSelf - type: - default: Default - description: Type represents the type of kubevirt csi - driver configuration to use - enum: - - None - - Default - - Manual - type: string - x-kubernetes-validations: - - message: storageDriver.Type is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: storageDriver is immutable - rule: self == oldSelf - type: object - x-kubernetes-validations: - - message: Kubevirt GenerateID is required once set - rule: '!has(oldSelf.generateID) || has(self.generateID)' - openstack: - description: OpenStack specifies configuration for clusters running - on OpenStack. - properties: - disableExternalNetwork: - description: |- - DisableExternalNetwork specifies whether or not to attempt to connect the cluster - to an external network. This allows for the creation of clusters when connecting - to an external network is not possible or desirable, e.g. if using a provider network. - type: boolean - externalNetwork: - description: |- - ExternalNetwork is the OpenStack Network to be used to get public internet to the VMs. - This option is ignored if DisableExternalNetwork is set to true. - - If ExternalNetwork is defined it must refer to exactly one external network. - - If ExternalNetwork is not defined or is empty the controller will use any - existing external network as long as there is only one. It is an - error if ExternalNetwork is not defined and there are multiple - external networks unless DisableExternalNetwork is also set. - - If ExternalNetwork is not defined and there are no external networks - the controller will proceed as though DisableExternalNetwork was set. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - identityRef: - description: |- - IdentityRef is a reference to a secret holding OpenStack credentials - to be used when reconciling the hosted cluster. - properties: - cloudName: - description: CloudName specifies the name of the entry - in the clouds.yaml file to use. - type: string - name: - description: |- - Name is the name of a secret in the same namespace as the resource being provisioned. - The secret must contain a key named `clouds.yaml` which contains an OpenStack clouds.yaml file. - The secret may optionally contain a key named `cacert` containing a PEM-encoded CA certificate. - type: string - required: - - cloudName - - name - type: object - managedSubnets: - description: |- - ManagedSubnets describe the OpenStack Subnet to be created. Cluster actuator will create a network, - and a subnet with the defined DNSNameservers, AllocationPools and the CIDR defined in the HostedCluster - MachineNetwork, and a router connected to the subnet. Currently only one IPv4 - subnet is supported. - items: - properties: - allocationPools: - description: |- - AllocationPools is an array of AllocationPool objects that will be applied to OpenStack Subnet being created. - If set, OpenStack will only allocate these IPs for Machines. It will still be possible to create ports from - outside of these ranges manually. - items: - properties: - end: - description: End represents the end of the AlloctionPool, - that is the highest IP of the pool. - type: string - start: - description: Start represents the start of the - AllocationPool, that is the lowest IP of the - pool. - type: string - required: - - end - - start - type: object - type: array - dnsNameservers: - description: |- - DNSNameservers holds a list of DNS server addresses that will be provided when creating - the subnet. These addresses need to have the same IP version as CIDR. - items: - type: string - type: array - type: object - maxItems: 1 - type: array - x-kubernetes-list-type: atomic - network: - description: |- - Network specifies an existing network to use if no ManagedSubnets - are specified. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - network. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - network to filter by. - type: string - name: - description: Name is the name of the network to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the network - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the network to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - networkMTU: - description: |- - NetworkMTU sets the maximum transmission unit (MTU) value to address fragmentation for the private network ID. - This value will be used only if the Cluster actuator creates the network. - If left empty, the network will have the default MTU defined in Openstack network service. - To use this field, the Openstack installation requires the net-mtu neutron API extension. - type: integer - router: - description: |- - Router specifies an existing router to be used if ManagedSubnets are - specified. If specified, no new router will be created. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select an OpenStack - router. If provided, cannot be empty. - minProperties: 1 - properties: - description: - description: Description is the description of the - router to filter by. - type: string - name: - description: Name is the name of the router to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the router - to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the ID of the router to use. If ID - is provided, the other filters cannot be provided. Must - be in UUID format. - format: uuid - type: string - type: object - subnets: - description: |- - Subnets specifies existing subnets to use if not ManagedSubnets are - specified. All subnets must be in the network specified by Network. - There can be zero, one, or two subnets. If no subnets are specified, - all subnets in Network will be used. If 2 subnets are specified, one - must be IPv4 and the other IPv6. - items: - description: SubnetParam specifies an OpenStack subnet to - use. It may be specified by either ID or filter, but not - both. - maxProperties: 1 - minProperties: 1 - properties: - filter: - description: Filter specifies a filter to select the - subnet. It must match exactly one subnet. - minProperties: 1 - properties: - cidr: - description: CIDR is the CIDR of the subnet to filter - by. - type: string - description: - description: Description is the description of the - subnet to filter by. - type: string - gatewayIP: - description: GatewayIP is the gateway IP of the - subnet to filter by. - type: string - ipVersion: - description: IPVersion is the IP version of the - subnet to filter by. - type: integer - ipv6AddressMode: - description: IPv6AddressMode is the IPv6 address - mode of the subnet to filter by. - type: string - ipv6RAMode: - description: IPv6RAMode is the IPv6 RA mode of the - subnet to filter by. - type: string - name: - description: Name is the name of the subnet to filter - by. - type: string - notTags: - description: |- - NotTags is a list of tags to filter by. If specified, resources which - contain all of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - notTagsAny: - description: |- - NotTagsAny is a list of tags to filter by. If specified, resources - which contain any of the given tags will be excluded from the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - projectID: - description: ProjectID is the project ID of the - subnet to filter by. - type: string - tags: - description: |- - Tags is a list of tags to filter by. If specified, the resource must - have all of the tags specified to be included in the result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - tagsAny: - description: |- - TagsAny is a list of tags to filter by. If specified, the resource - must have at least one of the tags specified to be included in the - result. - items: - description: |- - NeutronTag represents a tag on a Neutron resource. - It may not be empty and may not contain commas. - minLength: 1 - pattern: ^[^,]+$ - type: string - type: array - x-kubernetes-list-type: set - type: object - id: - description: ID is the uuid of the subnet. It will not - be validated. - format: uuid - type: string - type: object - maxItems: 2 - type: array - x-kubernetes-list-type: atomic - tags: - description: Tags to set on all resources in cluster which - support tags - items: - type: string - type: array - x-kubernetes-list-type: set - required: - - identityRef - type: object - powervs: - description: |- - PowerVS specifies configuration for clusters running on IBMCloud Power VS Service. - This field is immutable. Once set, It can't be changed. - properties: - accountID: - description: |- - AccountID is the IBMCloud account id. - This field is immutable. Once set, It can't be changed. - type: string - cisInstanceCRN: - description: |- - CISInstanceCRN is the IBMCloud CIS Service Instance's Cloud Resource Name - This field is immutable. Once set, It can't be changed. - pattern: '^crn:' - type: string - imageRegistryOperatorCloudCreds: - description: |- - ImageRegistryOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for image registry operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - ingressOperatorCloudCreds: - description: |- - IngressOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for ingress operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - kubeCloudControllerCreds: - description: | - KubeCloudControllerCreds is a reference to a secret containing cloud - credentials with permissions matching the cloud controller policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - nodePoolManagementCreds: - description: | - NodePoolManagementCreds is a reference to a secret containing cloud - credentials with permissions matching the node pool management policy. - This field is immutable. Once set, It can't be changed. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - region: - description: |- - Region is the IBMCloud region in which the cluster resides. This configures the - OCP control plane cloud integrations, and is used by NodePool to resolve - the correct boot image for a given release. - This field is immutable. Once set, It can't be changed. - type: string - resourceGroup: - description: |- - ResourceGroup is the IBMCloud Resource Group in which the cluster resides. - This field is immutable. Once set, It can't be changed. - type: string - serviceInstanceID: - description: |- - ServiceInstance is the reference to the Power VS service on which the server instance(VM) will be created. - Power VS service is a container for all Power VS instances at a specific geographic region. - serviceInstance can be created via IBM Cloud catalog or CLI. - ServiceInstanceID is the unique identifier that can be obtained from IBM Cloud UI or IBM Cloud cli. - - More detail about Power VS service instance. - https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-creating-power-virtual-server - - This field is immutable. Once set, It can't be changed. - type: string - storageOperatorCloudCreds: - description: |- - StorageOperatorCloudCreds is a reference to a secret containing ibm cloud - credentials for storage operator to get authenticated with ibm cloud. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - subnet: - description: |- - Subnet is the subnet to use for control plane cloud resources. - This field is immutable. Once set, It can't be changed. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - vpc: - description: |- - VPC specifies IBM Cloud PowerVS Load Balancing configuration for the control - plane. - This field is immutable. Once set, It can't be changed. - properties: - name: - description: |- - Name for VPC to used for all the service load balancer. - This field is immutable. Once set, It can't be changed. - type: string - region: - description: |- - Region is the IBMCloud region in which VPC gets created, this VPC used for all the ingress traffic - into the OCP cluster. - This field is immutable. Once set, It can't be changed. - type: string - subnet: - description: |- - Subnet is the subnet to use for load balancer. - This field is immutable. Once set, It can't be changed. - type: string - zone: - description: |- - Zone is the availability zone where load balancer cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - name - - region - type: object - zone: - description: |- - Zone is the availability zone where control plane cloud resources are - created. - This field is immutable. Once set, It can't be changed. - type: string - required: - - accountID - - cisInstanceCRN - - imageRegistryOperatorCloudCreds - - ingressOperatorCloudCreds - - kubeCloudControllerCreds - - nodePoolManagementCreds - - region - - resourceGroup - - serviceInstanceID - - storageOperatorCloudCreds - - subnet - - vpc - - zone - type: object - type: - description: Type is the type of infrastructure provider for the - cluster. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - pullSecret: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - releaseImage: - description: ReleaseImage is the release image applied to the hosted - control plane. - type: string - secretEncryption: - description: |- - SecretEncryption contains metadata about the kubernetes secret encryption strategy being used for the - cluster when applicable. - properties: - aescbc: - description: AESCBC defines metadata about the AESCBC secret encryption - strategy - properties: - activeKey: - description: ActiveKey defines the active key used to encrypt - new secrets - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - activeKey - type: object - kms: - description: KMS defines metadata about the kms secret encryption - strategy - properties: - aws: - description: AWS defines metadata about the configuration - of the AWS KMS Secret Encryption provider - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - auth: - description: Auth defines metadata about the management - of credentials used to interact with AWS KMS - properties: - awsKms: - description: "The referenced role must have a trust - relationship that allows it to be assumed via web - identity.\nhttps://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html.\nExample:\n{\n\t\t\"Version\": - \"2012-10-17\",\n\t\t\"Statement\": [\n\t\t\t{\n\t\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\t\"Principal\": {\n\t\t\t\t\t\"Federated\": - \"{{ .ProviderARN }}\"\n\t\t\t\t},\n\t\t\t\t\t\"Action\": - \"sts:AssumeRoleWithWebIdentity\",\n\t\t\t\t\"Condition\": - {\n\t\t\t\t\t\"StringEquals\": {\n\t\t\t\t\t\t\"{{ - .ProviderName }}:sub\": {{ .ServiceAccounts }}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t]\n\t}\n\nAWSKMSARN - is an ARN value referencing a role appropriate for - managing the auth via the AWS KMS key.\n\nThe following - is an example of a valid policy document:\n\n{\n\t\"Version\": - \"2012-10-17\",\n\t\"Statement\": [\n \t{\n\t\t\t\"Effect\": - \"Allow\",\n\t\t\t\"Action\": [\n\t\t\t\t\"kms:Encrypt\",\n\t\t\t\t\"kms:Decrypt\",\n\t\t\t\t\"kms:ReEncrypt*\",\n\t\t\t\t\"kms:GenerateDataKey*\",\n\t\t\t\t\"kms:DescribeKey\"\n\t\t\t],\n\t\t\t\"Resource\": - %q\n\t\t}\n\t]\n}" - type: string - required: - - awsKms - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - arn: - description: ARN is the Amazon Resource Name for the - encryption key - pattern: '^arn:' - type: string - required: - - arn - type: object - region: - description: Region contains the AWS region - type: string - required: - - activeKey - - auth - - region - type: object - azure: - description: Azure defines metadata about the configuration - of the Azure KMS Secret Encryption provider using Azure - key vault - properties: - activeKey: - description: ActiveKey defines the active key used to - encrypt new secrets - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - backupKey: - description: |- - BackupKey defines the old key during the rotation process so previously created - secrets can continue to be decrypted until they are all re-encrypted with the active key. - properties: - keyName: - description: KeyName is the name of the keyvault key - used for encrypt/decrypt - type: string - keyVaultName: - description: |- - KeyVaultName is the name of the keyvault. Must match criteria specified at https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#vault-name-and-object-name - Your Microsoft Entra application used to create the cluster must be authorized to access this keyvault, e.g using the AzureCLI: - `az keyvault set-policy -n $KEYVAULT_NAME --key-permissions decrypt encrypt --spn ` - type: string - keyVersion: - description: KeyVersion contains the version of the - key to use - type: string - required: - - keyName - - keyVaultName - - keyVersion - type: object - kms: - description: kms is a pre-existing managed identity used - to authenticate with Azure KMS. - properties: - certificateName: - description: |- - certificateName is the name of the certificate backing the managed identity. This certificate is expected to - reside in an Azure Key Vault on the management cluster. - type: string - clientID: - description: clientID is the client ID of a managed - identity. - type: string - x-kubernetes-validations: - - message: the client ID of a managed identity must - be a valid UUID. It should be 5 groups of hyphen - separated hexadecimal characters in the form 8-4-4-4-12. - rule: self.matches('^[{]?[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}[}]?$') - required: - - certificateName - - clientID - type: object - required: - - activeKey - type: object - ibmcloud: - description: IBMCloud defines metadata for the IBM Cloud KMS - encryption strategy - properties: - auth: - description: Auth defines metadata for how authentication - is done with IBM Cloud KMS - properties: - managed: - description: |- - Managed defines metadata around the service to service authentication strategy for the IBM Cloud - KMS system (all provider managed). - type: object - type: - description: Type defines the IBM Cloud KMS authentication - strategy - enum: - - Managed - - Unmanaged - type: string - unmanaged: - description: Unmanaged defines the auth metadata the - customer provides to interact with IBM Cloud KMS - properties: - credentials: - description: |- - Credentials should reference a secret with a key field of IBMCloudIAMAPIKeySecretKey that contains a apikey to - call IBM Cloud KMS APIs - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - required: - - credentials - type: object - required: - - type - type: object - keyList: - description: KeyList defines the list of keys used for - data encryption - items: - description: IBMCloudKMSKeyEntry defines metadata for - an IBM Cloud KMS encryption key - properties: - correlationID: - description: CorrelationID is an identifier used - to track all api call usage from hypershift - type: string - crkID: - description: CRKID is the customer rook key id - type: string - instanceID: - description: InstanceID is the id for the key protect - instance - type: string - keyVersion: - description: |- - KeyVersion is a unique number associated with the key. The number increments whenever a new - key is enabled for data encryption. - type: integer - url: - description: URL is the url to call key protect - apis over - pattern: ^https:// - type: string - required: - - correlationID - - crkID - - instanceID - - keyVersion - - url - type: object - type: array - region: - description: Region is the IBM Cloud region - type: string - required: - - auth - - keyList - - region - type: object - provider: - description: Provider defines the KMS provider - enum: - - IBMCloud - - AWS - - Azure - type: string - required: - - provider - type: object - type: - description: Type defines the type of kube secret encryption being - used - enum: - - kms - - aescbc - type: string - required: - - type - type: object - serviceAccountSigningKey: - description: |- - ServiceAccountSigningKey is a reference to a secret containing the private key - used by the service account token issuer. The secret is expected to contain - a single key named "key". If not specified, a service account signing key will - be generated automatically for the cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - services: - description: |- - Services defines metadata about how control plane services are published - in the management cluster. - items: - description: |- - ServicePublishingStrategyMapping specifies how individual control plane - services are published from the hosting cluster of a control plane. - properties: - service: - description: Service identifies the type of service being published. - enum: - - APIServer - - OAuthServer - - OIDC - - Konnectivity - - Ignition - - OVNSbDb - type: string - servicePublishingStrategy: - description: ServicePublishingStrategy specifies how to publish - Service. - properties: - loadBalancer: - description: LoadBalancer configures exposing a service - using a LoadBalancer. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the LoadBalancer. - type: string - type: object - nodePort: - description: NodePort configures exposing a service using - a NodePort. - properties: - address: - description: Address is the host/ip that the NodePort - service is exposed over. - type: string - port: - description: |- - Port is the port of the NodePort service. If <=0, the port is dynamically - assigned when the service is created. - format: int32 - type: integer - required: - - address - type: object - route: - description: Route configures exposing a service using a - Route. - properties: - hostname: - description: Hostname is the name of the DNS record - that will be created pointing to the Route. - type: string - type: object - type: - description: Type is the publishing strategy used for the - service. - enum: - - LoadBalancer - - NodePort - - Route - - None - - S3 - type: string - required: - - type - type: object - required: - - service - - servicePublishingStrategy - type: object - type: array - sshKey: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - tolerations: - description: Tolerations when specified, define what custome tolerations - are added to the hcp pods. - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - updateService: - description: |- - updateService may be used to specify the preferred upstream update service. - By default it will use the appropriate update service for the cluster and region. - type: string - required: - - dns - - etcd - - infraID - - issuerURL - - platform - - pullSecret - - releaseImage - - services - - sshKey - type: object - status: - description: HostedControlPlaneStatus defines the observed state of HostedControlPlane - properties: - conditions: - description: |- - Condition contains details for one aspect of the current state of the HostedControlPlane. - Current condition types are: "Available" - items: - description: Condition contains details for one aspect of the current - state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - controlPlaneEndpoint: - description: |- - ControlPlaneEndpoint contains the endpoint information by which - external clients can access the control plane. This is populated - after the infrastructure is ready. - properties: - host: - description: Host is the hostname on which the API server is serving. - type: string - port: - description: Port is the port on which the API server is serving. - format: int32 - type: integer - required: - - host - - port - type: object - externalManagedControlPlane: - default: true - description: |- - ExternalManagedControlPlane indicates to cluster-api that the control plane - is managed by an external service. - https://github.com/kubernetes-sigs/cluster-api/blob/65e5385bffd71bf4aad3cf34a537f11b217c7fab/controllers/machine_controller.go#L468 - type: boolean - initialized: - default: false - description: |- - Initialized denotes whether or not the control plane has - provided a kubeadm-config. - Once this condition is marked true, its value is never changed. See the Ready condition for an indication of - the current readiness of the cluster's control plane. - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L238-L252 - type: boolean - kubeConfig: - description: |- - KubeConfig is a reference to the secret containing the default kubeconfig - for this control plane. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - kubeadminPassword: - description: |- - KubeadminPassword is a reference to the secret containing the initial kubeadmin password - for the guest cluster. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - lastReleaseImageTransitionTime: - description: |- - lastReleaseImageTransitionTime is the time of the last update to the current - releaseImage property. - - Deprecated: Use versionStatus.history[0].startedTime instead. - format: date-time - type: string - nodeCount: - description: NodeCount tracks the number of nodes in the HostedControlPlane. - type: integer - oauthCallbackURLTemplate: - description: |- - OAuthCallbackURLTemplate contains a template for the URL to use as a callback - for identity providers. The [identity-provider-name] placeholder must be replaced - with the name of an identity provider defined on the HostedCluster. - This is populated after the infrastructure is ready. - type: string - platform: - description: Platform contains platform-specific status of the HostedCluster - properties: - aws: - description: AWSPlatformStatus contains status specific to the - AWS platform - properties: - defaultWorkerSecurityGroupID: - description: |- - DefaultWorkerSecurityGroupID is the ID of a security group created by - the control plane operator. It is always added to worker machines in - addition to any security groups specified in the NodePool. - type: string - type: object - type: object - ready: - default: false - description: |- - Ready denotes that the HostedControlPlane API Server is ready to - receive requests - This satisfies CAPI contract https://github.com/kubernetes-sigs/cluster-api/blob/cd3a694deac89d5ebeb888307deaa61487207aa0/controllers/cluster_controller_phases.go#L226-L230 - type: boolean - releaseImage: - description: |- - ReleaseImage is the release image applied to the hosted control plane. - - Deprecated: Use versionStatus.desired.image instead. - type: string - version: - description: |- - Version is the semantic version of the release applied by - the hosted control plane operator - - Deprecated: Use versionStatus.desired.version instead. - type: string - versionStatus: - description: |- - versionStatus is the status of the release version applied by the - hosted control plane operator. - properties: - availableUpdates: - description: |- - availableUpdates contains updates recommended for this - cluster. Updates which appear in conditionalUpdates but not in - availableUpdates may expose this cluster to known issues. This list - may be empty if no updates are recommended, if the update service - is unavailable, or if an invalid channel has been specified. - items: - description: Release represents an OpenShift release image and - associated metadata. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - nullable: true - type: array - conditionalUpdates: - description: |- - conditionalUpdates contains the list of updates that may be - recommended for this cluster if it meets specific required - conditions. Consumers interested in the set of updates that are - actually recommended for this cluster should use - availableUpdates. This list may be empty if no updates are - recommended, if the update service is unavailable, or if an empty - or invalid channel has been specified. - items: - description: |- - ConditionalUpdate represents an update which is recommended to some - clusters on the version the current cluster is reconciling, but which - may not be recommended for the current cluster. - properties: - conditions: - description: |- - conditions represents the observations of the conditional update's - current status. Known types are: - * Recommended, for whether the update is recommended for the current cluster. - items: - description: Condition contains details for one aspect - of the current state of this API Resource. - properties: - lastTransitionTime: - description: |- - lastTransitionTime is the last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - message is a human readable message indicating details about the transition. - This may be an empty string. - maxLength: 32768 - type: string - observedGeneration: - description: |- - observedGeneration represents the .metadata.generation that the condition was set based upon. - For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date - with respect to the current state of the instance. - format: int64 - minimum: 0 - type: integer - reason: - description: |- - reason contains a programmatic identifier indicating the reason for the condition's last transition. - Producers of specific condition types may define expected values and meanings for this field, - and whether the values are considered a guaranteed API. - The value should be a CamelCase string. - This field may not be empty. - maxLength: 1024 - minLength: 1 - pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ - type: string - status: - description: status of the condition, one of True, - False, Unknown. - enum: - - "True" - - "False" - - Unknown - type: string - type: - description: type of condition in CamelCase or in - foo.example.com/CamelCase. - maxLength: 316 - pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ - type: string - required: - - lastTransitionTime - - message - - reason - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - release: - description: release is the target of the update. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - risks: - description: |- - risks represents the range of issues associated with - updating to the target release. The cluster-version - operator will evaluate all entries, and only recommend the - update if there is at least one entry and all entries - recommend the update. - items: - description: |- - ConditionalUpdateRisk represents a reason and cluster-state - for not recommending a conditional update. - properties: - matchingRules: - description: |- - matchingRules is a slice of conditions for deciding which - clusters match the risk and which do not. The slice is - ordered by decreasing precedence. The cluster-version - operator will walk the slice in order, and stop after the - first it can successfully evaluate. If no condition can be - successfully evaluated, the update will not be recommended. - items: - description: |- - ClusterCondition is a union of typed cluster conditions. The 'type' - property determines which of the type-specific properties are relevant. - When evaluated on a cluster, the condition may match, not match, or - fail to evaluate. - properties: - promql: - description: promQL represents a cluster condition - based on PromQL. - properties: - promql: - description: |- - PromQL is a PromQL query classifying clusters. This query - query should return a 1 in the match case and a 0 in the - does-not-match case. Queries which return no time - series, or which return values besides 0 or 1, are - evaluation failures. - type: string - required: - - promql - type: object - type: - description: |- - type represents the cluster-condition type. This defines - the members and semantics of any additional properties. - enum: - - Always - - PromQL - type: string - required: - - type - type: object - minItems: 1 - type: array - x-kubernetes-list-type: atomic - message: - description: |- - message provides additional information about the risk of - updating, in the event that matchingRules match the cluster - state. This is only to be consumed by humans. It may - contain Line Feed characters (U+000A), which should be - rendered as new lines. - minLength: 1 - type: string - name: - description: |- - name is the CamelCase reason for not recommending a - conditional update, in the event that matchingRules match the - cluster state. - minLength: 1 - type: string - url: - description: url contains information about this risk. - format: uri - minLength: 1 - type: string - required: - - matchingRules - - message - - name - - url - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - required: - - release - - risks - type: object - type: array - x-kubernetes-list-type: atomic - desired: - description: |- - desired is the version that the cluster is reconciling towards. - If the cluster is not yet fully initialized desired will be set - with the information available, which may be an image or a tag. - properties: - channels: - description: |- - channels is the set of Cincinnati channels to which the release - currently belongs. - items: - type: string - type: array - x-kubernetes-list-type: set - image: - description: |- - image is a container image location that contains the update. When this - field is part of spec, image is optional if version is specified and the - availableUpdates field contains a matching version. - type: string - url: - description: |- - url contains information about this release. This URL is set by - the 'url' metadata property on a release or the metadata returned by - the update API and should be displayed as a link in user - interfaces. The URL field may not be set for test or nightly - releases. - type: string - version: - description: |- - version is a semantic version identifying the update version. When this - field is part of spec, version is optional if image is specified. - type: string - required: - - image - - version - type: object - history: - description: |- - history contains a list of the most recent versions applied to the cluster. - This value may be empty during cluster startup, and then will be updated - when a new update is being applied. The newest update is first in the - list and it is ordered by recency. Updates in the history have state - Completed if the rollout completed - if an update was failing or halfway - applied the state will be Partial. Only a limited amount of update history - is preserved. - items: - description: UpdateHistory is a single attempted update to the - cluster. - properties: - acceptedRisks: - description: |- - acceptedRisks records risks which were accepted to initiate the update. - For example, it may menition an Upgradeable=False or missing signature - that was overriden via desiredUpdate.force, or an update that was - initiated despite not being in the availableUpdates set of recommended - update targets. - type: string - completionTime: - description: |- - completionTime, if set, is when the update was fully applied. The update - that is currently being applied will have a null completion time. - Completion time will always be set for entries that are not the current - update (usually to the started time of the next update). - format: date-time - nullable: true - type: string - image: - description: |- - image is a container image location that contains the update. This value - is always populated. - type: string - startedTime: - description: startedTime is the time at which the update - was started. - format: date-time - type: string - state: - description: |- - state reflects whether the update was fully applied. The Partial state - indicates the update is not fully applied, while the Completed state - indicates the update was successfully rolled out at least once (all - parts of the update successfully applied). - type: string - verified: - description: |- - verified indicates whether the provided update was properly verified - before it was installed. If this is false the cluster may not be trusted. - Verified does not cover upgradeable checks that depend on the cluster - state at the time when the update target was accepted. - type: boolean - version: - description: |- - version is a semantic version identifying the update version. If the - requested image does not define a version, or if a failure occurs - retrieving the image, this value may be empty. - type: string - required: - - completionTime - - image - - startedTime - - state - - verified - type: object - type: array - observedGeneration: - description: |- - observedGeneration reports which version of the spec is being synced. - If this value is not equal to metadata.generation, then the desired - and conditions fields may represent a previous version. - format: int64 - type: integer - required: - - availableUpdates - - desired - - observedGeneration - type: object - required: - - initialized - - ready - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-CustomNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-CustomNoUpgrade.crd.yaml deleted file mode 100644 index 36b1816539c..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-CustomNoUpgrade.crd.yaml +++ /dev/null @@ -1,1468 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: CustomNoUpgrade - name: nodepools.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: NodePool - listKind: NodePoolList - plural: nodepools - shortNames: - - np - - nps - singular: nodepool - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster - jsonPath: .spec.clusterName - name: Cluster - type: string - - description: Desired Nodes - jsonPath: .spec.replicas - name: Desired Nodes - type: integer - - description: Available Nodes - jsonPath: .status.replicas - name: Current Nodes - type: integer - - description: Autoscaling Enabled - jsonPath: .status.conditions[?(@.type=="AutoscalingEnabled")].status - name: Autoscaling - type: string - - description: Node Autorepair Enabled - jsonPath: .status.conditions[?(@.type=="AutorepairEnabled")].status - name: Autorepair - type: string - - description: Current version - jsonPath: .status.version - name: Version - type: string - - description: UpdatingVersion in progress - jsonPath: .status.conditions[?(@.type=="UpdatingVersion")].status - name: UpdatingVersion - type: string - - description: UpdatingConfig in progress - jsonPath: .status.conditions[?(@.type=="UpdatingConfig")].status - name: UpdatingConfig - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - NodePool is a scalable set of worker nodes attached to a HostedCluster. - NodePool machine architectures are uniform within a given pool, and are - independent of the control plane’s underlying machine architecture. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the NodePool. - properties: - arch: - default: amd64 - description: "arch is the preferred processor architecture for the - NodePool. Different platforms might have different supported architectures.\n\thttps://github.com/kubernetes/kubernetes/issues/108768#issuecomment-1253912215" - enum: - - arm64 - - amd64 - - ppc64le - type: string - x-kubernetes-validations: - - message: Arch is immutable - rule: self == oldSelf - autoScaling: - description: |- - autoscaling specifies auto-scaling behavior for the NodePool. - autoscaling is mutually exclusive with replicas. If replicas is set, this field must be ommited. - properties: - max: - description: Max is the maximum number of nodes allowed in the - pool. Must be >= 1 and >= Min. - format: int32 - minimum: 1 - type: integer - min: - description: Min is the minimum number of nodes to maintain in - the pool. Must be >= 1 and <= .Max. - format: int32 - minimum: 1 - type: integer - required: - - max - - min - type: object - x-kubernetes-validations: - - message: max must be equal or greater than min - rule: self.max >= self.min - clusterName: - description: |- - clusterName is the name of the HostedCluster this NodePool belongs to. - If a HostedCluster with this name doesn't exist, the controller will no-op until it exists. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: ClusterName is immutable - rule: self == oldSelf - - message: clusterName must consist of lowercase alphanumeric characters - or '-', start and end with an alphanumeric character, and be between - 1 and 253 characters - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') - config: - description: |- - config is a list of references to ConfigMaps containing serialized - MachineConfig resources to be injected into the ignition configurations of - nodes in the NodePool. The MachineConfig API schema is defined here: - - https://github.com/openshift/machine-config-operator/blob/18963e4f8fe66e8c513ca4b131620760a414997f/pkg/apis/machineconfiguration.openshift.io/v1/types.go#L185 - - Each ConfigMap must have a single key named "config" whose value is the YML - with one or more serialized machineconfiguration.openshift.io resources: - - * KubeletConfig - * ContainerRuntimeConfig - * MachineConfig - * ClusterImagePolicy - * ImageContentSourcePolicy - * ImageDigestMirrorSet - - This is validated in the backend and signaled back via validMachineConfig condition. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - management: - description: |- - management specifies behavior for managing nodes in the pool, such as - upgrade strategies and auto-repair behaviors. - properties: - autoRepair: - default: false - description: |- - autoRepair specifies whether health checks should be enabled for machines in the NodePool. The default is false. - Enabling this feature will cause the controller to automatically delete unhealthy machines. - The unhealthy criteria is reserved for the controller implementation and subject to change. - But generally it's determined by checking the Node ready condition is true and a timeout that might vary depending on the platform provider. - AutoRepair will no-op when more than 2 Nodes are unhealthy at the same time. Giving time for the cluster to stabilize or to the user to manually intervene. - type: boolean - inPlace: - description: inPlace is the configuration for in-place upgrades. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - Defaults to 1. - - Example: when this is set to 30%, a max of 30% of the nodes can be made - unschedulable/unavailable immediately when the update starts. Once a set - of nodes is updated, more nodes can be made unschedulable for update, - ensuring that the total number of nodes schedulable at all times during - the update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - replace: - default: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - strategy: RollingUpdate - description: |- - replace is the configuration for rolling upgrades. - It defaults to a RollingUpdate strategy with maxSurge of 1 and maxUnavailable of 0. - properties: - rollingUpdate: - description: |- - rollingUpdate specifies a rolling update strategy which upgrades nodes by - creating new nodes and deleting the old ones. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - maxSurge is the maximum number of nodes that can be provisioned above the - desired number of nodes. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding up. - - This can not be 0 if MaxUnavailable is 0. - - Defaults to 1. - - Example: when this is set to 30%, new nodes can be provisioned immediately - when the rolling update starts, such that the total number of old and new - nodes do not exceed 130% of desired nodes. Once old nodes have been - deleted, new nodes can be provisioned, ensuring that total number of nodes - running at any time during the update is at most 130% of desired nodes. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - This can not be 0 if MaxSurge is 0. - - Defaults to 0. - - Example: when this is set to 30%, old nodes can be deleted down to 70% of - desired nodes immediately when the rolling update starts. Once new nodes - are ready, more old nodes be deleted, followed by provisioning new nodes, - ensuring that the total number of nodes available at all times during the - update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - strategy: - description: |- - strategy is the node replacement strategy for nodes in the pool. - In can be either "RollingUpdate" or "OnDelete". RollingUpdate will rollout Nodes honoring maxSurge and maxUnavailable. - OnDelete provide more granular control and will replace nodes as the old ones are manually deleted. - enum: - - RollingUpdate - - OnDelete - type: string - type: object - x-kubernetes-validations: - - message: The 'rollingUpdate' field can only be set when 'strategy' - is 'RollingUpdate' - rule: '!has(self.rollingUpdate) || self.strategy == ''RollingUpdate''' - upgradeType: - description: |- - upgradeType specifies the type of strategy for handling upgrades. - This can be either "Replace" or "InPlace". - "Replace" will update Nodes by recreating the underlying instances. - "InPlace" will update Nodes by applying changes to the existing instances. This might or might not result in a reboot. - enum: - - Replace - - InPlace - type: string - x-kubernetes-validations: - - message: UpgradeType is immutable - rule: self == oldSelf - required: - - upgradeType - type: object - x-kubernetes-validations: - - message: The 'inPlace' field can only be set when 'upgradeType' - is 'InPlace' - rule: '!has(self.inPlace) || self.upgradeType == ''InPlace''' - nodeDrainTimeout: - description: |- - nodeDrainTimeout is the maximum amount of time that the controller will spend on retrying to drain a node until it succeeds. - The default value is 0, meaning that the node can retry drain without any time limitations. - type: string - nodeLabels: - additionalProperties: - type: string - description: |- - nodeLabels propagates a list of labels to Nodes, only once on creation. - Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - nodeVolumeDetachTimeout: - description: |- - nodeVolumeDetachTimeout is the maximum amount of time that the controller will spend on detaching volumes from a node. - The default value is 0, meaning that the volumes will be detached from the node without any time limitations. - After the timeout, any remaining attached volumes will be ignored and the removal of the machine will continue. - type: string - pausedUntil: - description: |- - pausedUntil is a field that can be used to pause reconciliation on the NodePool controller. Resulting in any change to the NodePool being ignored. - Either a date can be provided in RFC3339 format or a boolean as in 'true', 'false', 'True', 'False'. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - maxLength: 35 - minLength: 1 - type: string - x-kubernetes-validations: - - message: PausedUntil must be a date in RFC3339 format or 'True', - 'true', 'False' or 'false' - rule: self.matches('^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.*$') - || self in ['true', 'false', 'True', 'False'] - platform: - description: |- - platform specifies the underlying infrastructure provider for the NodePool - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies the configuration used when using - Agent platform. - properties: - agentLabelSelector: - description: |- - AgentLabelSelector contains labels that must be set on an Agent in order to - be selected for a Machine. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - aws: - description: AWS specifies the configuration used when operating - on AWS. - properties: - ami: - description: |- - AMI is the image id to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - instanceProfile: - description: InstanceProfile is the AWS EC2 instance profile, - which is a container for an IAM role that the EC2 instance - uses. - type: string - instanceType: - description: InstanceType is an ec2 instance type for node - instances (e.g. m5.large). - type: string - placement: - description: placement specifies the placement options for - the EC2 instances. - properties: - tenancy: - description: |- - Tenancy indicates if instance should run on shared or single-tenant hardware. - - Possible values: - default: NodePool instances run on shared hardware. - dedicated: Each NodePool instance runs on single-tenant hardware. - host: NodePool instances run on user's pre-allocated dedicated hosts. - enum: - - default - - dedicated - - host - type: string - type: object - resourceTags: - description: |- - ResourceTags is an optional list of additional tags to apply to AWS node - instances. - - These will be merged with HostedCluster scoped tags, and HostedCluster tags - take precedence in case of conflicts. - - See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rootVolume: - description: RootVolume specifies configuration for the root - volume of node instances. - properties: - encrypted: - description: Encrypted is whether the volume should be - encrypted or not. - type: boolean - x-kubernetes-validations: - - message: Encrypted is immutable - rule: self == oldSelf - encryptionKey: - description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. - type: string - iops: - description: |- - IOPS is the number of IOPS requested for the disk. This is only valid - for type io1. - format: int64 - type: integer - size: - description: |- - Size specifies size (in Gi) of the storage device. - - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - type: - description: Type is the type of the volume. - type: string - required: - - size - - type - type: object - securityGroups: - description: |- - SecurityGroups is an optional set of security groups to associate with node - instances. - items: - description: |- - AWSResourceReference is a reference to a specific AWS resource by ID or filters. - Only one of ID or Filters may be specified. Specifying more than one will result in - a validation error. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - type: array - subnet: - description: Subnet is the subnet to use for node instances. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names are - case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - x-kubernetes-validations: - - message: subnet is invalid, a valid subnet id or filters - must be set, but not both - rule: 'has(self.id) && self.id.startsWith(''subnet-'') ? - !has(self.filters) : size(self.filters) > 0' - required: - - instanceType - - subnet - type: object - azure: - description: AzureNodePoolPlatform is the platform specific configuration - for an Azure node pool. - properties: - availabilityZone: - description: |- - availabilityZone is the failure domain identifier where the VM should be attached to. This must not be specified - for clusters in a location that does not support AvailabilityZone because it would cause a failure from Azure API. - type: string - diagnostics: - description: |- - diagnostics specifies the diagnostics settings for a virtual machine. - If not specified, then Boot diagnostics will be disabled. - properties: - storageAccountType: - allOf: - - enum: - - Managed - - UserManaged - - Disabled - - enum: - - Managed - - UserManaged - - Disabled - default: Disabled - description: |- - storageAccountType determines if the storage account for storing the diagnostics data - should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). - type: string - userManaged: - description: userManaged specifies the diagnostics settings - for a virtual machine when the storage account is managed - by the user. - properties: - storageAccountURI: - description: |- - storageAccountURI is the URI of the user-managed storage account. - The URI typically will be `https://.blob.core.windows.net/` - but may differ if you are using Azure DNS zone endpoints. - You can find the correct endpoint by looking for the Blob Primary Endpoint in the - endpoints tab in the Azure console or with the CLI by issuing - `az storage account list --query='[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}'`. - maxLength: 1024 - type: string - x-kubernetes-validations: - - message: storageAccountURI must be a valid HTTPS - URL - rule: isURL(self) && url(self).getScheme() == 'https' - required: - - storageAccountURI - type: object - type: object - x-kubernetes-validations: - - message: userManaged is required when storageAccountType - is UserManaged, and forbidden otherwise - rule: 'self.storageAccountType == ''UserManaged'' ? has(self.userManaged) - : !has(self.userManaged)' - encryptionAtHost: - default: Enabled - description: |- - encryptionAtHost enables encryption at host on virtual machines. According to Microsoft documentation, this - means data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. See - https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell - for more information. - enum: - - Enabled - - Disabled - type: string - image: - description: |- - image is used to configure the VM boot image. If unset, the default image at the location below will be used and - is expected to exist: subscription//resourceGroups//providers/Microsoft.Compute/images/rhcos.x86_64.vhd. - The and the are expected to be the same resource group documented in the - Hosted Cluster specification respectively, HostedCluster.Spec.Platform.Azure.SubscriptionID and - HostedCluster.Spec.Platform.Azure.ResourceGroupName. - properties: - azureMarketplace: - description: azureMarketplace contains the Azure Marketplace - image info to use to boot the Azure VMs from. - properties: - offer: - description: offer specifies the name of a group of - related images created by the publisher. - minLength: 1 - type: string - publisher: - description: |- - publisher is the name of the organization that created the image. - It must be between 3 and 50 characters in length, and consist of only lowercase letters, numbers, and hyphens (-) and underscores (_). - It must start with a lowercase letter or a number. - maxLength: 50 - minLength: 3 - pattern: ^[a-z0-9][a-z0-9-_]{2,49}$ - type: string - sku: - description: |- - sku specifies an instance of an offer, such as a major release of a distribution. - For example, 22_04-lts-gen2, 8-lvm-gen2. - The value must consist only of lowercase letters, numbers, and hyphens (-) and underscores (_). - minLength: 1 - pattern: ^[a-z0-9-_]+$ - type: string - version: - description: |- - version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, - Minor, and Build are decimal numbers, e.g. '1.2.0'. Specify 'latest' to use the latest version of an image available at - deployment time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a - new version becomes available. - maxLength: 32 - minLength: 1 - pattern: ^[0-9]+\.[0-9]+\.[0-9]+$|^latest$ - type: string - required: - - offer - - publisher - - sku - - version - type: object - imageID: - description: imageID is the Azure resource ID of a VHD - image to use to boot the Azure VMs from. - type: string - type: - description: |- - type is the type of image data that will be provided to the Azure VM. - Valid values are "ImageID" and "AzureMarketplace". - ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. - AzureMarketplace means the VM will boot from an Azure Marketplace image. - Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. - enum: - - ImageID - - AzureMarketplace - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: imageID is required when type is ImageID, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''ImageID'' ? has(self.imageID) - : !has(self.imageID)' - - message: azureMarketplace is required when type is RequiredMember, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AzureMarketplace'' - ? has(self.azureMarketplace) : !has(self.azureMarketplace)' - machineIdentityID: - description: | - machineIdentityID is a user-assigned identity assigned to the VMs used to authenticate with Azure services. The - identify is expected to exist under the same resource group as HostedCluster.Spec.Platform.Azure.ResourceGroupName. This - user assigned identity is expected to have the Contributor role assigned to it and scoped to the resource group - under HostedCluster.Spec.Platform.Azure.ResourceGroupName. - - If this field is not supplied, the Service Principal credentials will be written to a file on the disk of each VM - in order to be accessible by the cloud provider; the aforementioned credentials provided are the same ones as - HostedCluster.Spec.Platform.Azure.Credentials. However, this is less secure than using a managed identity. - type: string - osDisk: - description: |- - osDisk provides configuration for the OS disk for the nodepool. - This can be used to configure the size, storage account type, encryption options and whether the disk is persistent or ephemeral. - When not provided, the platform will choose reasonable defaults which are subject to change over time. - Review the fields within the osDisk for more details. - properties: - diskStorageAccountType: - description: |- - storageAccountType is the disk storage account type to use. - Valid values are Standard, StandardSSD, PremiumSSD and UltraSSD and omitted. - Note that Standard means a HDD. - The disk performance is tied to the disk type, please refer to the Azure documentation for further details - https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison. - When omitted this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is PremiumSSD. - enum: - - Standard - - StandardSSD - - PremiumSSD - - UltraSSD - type: string - encryptionSetID: - description: |- - encryptionSetID is the ID of the DiskEncryptionSet resource to use to encrypt the OS disks for the VMs. - Configuring a DiskEncyptionSet allows greater control over the encryption of the VM OS disk at rest. - Can be used with either platform (Azure) managed, or customer managed encryption keys. - This needs to exist in the same subscription id listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.SubscriptionID. - DiskEncryptionSetID should also exist in a resource group under the same subscription id and the same location - listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.Location. - The encryptionSetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The resourceName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores. - maxLength: 285 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}` - rule: size(self.split('/')) == 9 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Compute/diskEncryptionSets/.*$') - - message: The resourceGroupName should be between 1 and - 90 characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the encryptionSetID - must not end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The resourceName should be between 1 and 80 - characters, consisting only of alphanumeric characters, - hyphens and underscores - rule: self.split('/')[8].matches('[a-zA-Z0-9-_]{1,80}') - persistence: - description: |- - persistence determines whether the OS disk should be persisted beyond the life of the VM. - Valid values are Persistent and Ephemeral. - When set to Ephmeral, the OS disk will not be persisted to Azure storage and implies restrictions to the VM size and caching type. - Full details can be found in the Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks. - Ephmeral disks are primarily used for stateless applications, provide lower latency than Persistent disks and also incur no storage costs. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - enum: - - Persistent - - Ephemeral - type: string - sizeGiB: - description: |- - SizeGiB is the size in GiB (1024^3 bytes) to assign to the OS disk. - This should be between 16 and 65,536 when using the UltraSSD storage account type and between 16 and 32,767 when using any other storage account type. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 30. - format: int32 - maximum: 65536 - minimum: 16 - type: integer - type: object - x-kubernetes-validations: - - message: When not using storageAccountType UltraSSD, the - SizeGB value must be less than or equal to 32,767 - rule: '!has(self.diskStorageAccountType) || self.diskStorageAccountType - != ''UltraSSD'' || self.sizeGiB <= 32767' - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - vmSize: - description: |- - vmSize is the Azure VM instance type to use for the nodes being created in the nodepool. - The size naming convention is documented here https://learn.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions. - Size names should start with a Family name, which is represented by one of more capital letters, and then be followed by the CPU count. - This is followed by 0 or more additional features, represented by a, b, d, i, l, m, p, t, s, C, and NP, refer to the Azure documentation for an explanation of these features. - Optionally an accelerator such as a GPU can be added, prefixed by an underscore, for example A100, H100 or MI300X. - The size may also be versioned, in which case it should be suffixed with _v where the version is a number. - For example, "D32ads_v5" would be a suitable general purpose VM size, or "ND96_MI300X_v5" would represent a GPU accelerated VM. - pattern: ^(Standard_|Basic_)?[A-Z]+[0-9]+(-[0-9]+)?[abdilmptsCNP]*(_[A-Z]*[0-9]+[A-Z]*)?(_v[0-9]+)?$ - type: string - required: - - image - - osDisk - - subnetID - - vmSize - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: Kubevirt specifies the configuration used when operating - on KubeVirt platform. - properties: - additionalNetworks: - description: AdditionalNetworks specify the extra networks - attached to the nodes - items: - description: |- - KubevirtNetwork specifies the configuration for a virtual machine - network interface - properties: - name: - description: |- - Name specify the network attached to the nodes - it is a value with the format "[namespace]/[name]" to reference the - multus network attachment definition - type: string - required: - - name - type: object - type: array - attachDefaultNetwork: - default: true - description: |- - AttachDefaultNetwork specify if the default pod network should be attached to the nodes - this can only be set to false if AdditionalNetworks are configured - type: boolean - compute: - default: - cores: 2 - memory: 8Gi - description: Compute contains values representing the virtual - hardware requested for the VM - properties: - cores: - default: 2 - description: Cores represents how many cores the guest - VM should have - format: int32 - type: integer - memory: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Memory represents how much guest memory the - VM should have - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - qosClass: - default: Burstable - description: |- - QosClass If set to "Guaranteed", requests the scheduler to place the VirtualMachineInstance on a node with - limit memory and CPU, equal to be the requested values, to set the VMI as a Guaranteed QoS Class; - See here for more details: - https://kubevirt.io/user-guide/operations/node_overcommit/#requesting-the-right-qos-class-for-virtualmachineinstances - enum: - - Burstable - - Guaranteed - type: string - type: object - hostDevices: - description: |- - KubevirtHostDevices specifies the host devices (e.g. GPU devices) to be passed - from the management cluster, to the nodepool nodes - items: - properties: - count: - default: 1 - description: |- - Count is the number of instances the specified host device will be attached to each of the - NodePool's nodes. Default is 1. - minimum: 1 - type: integer - deviceName: - description: |- - DeviceName is the name of the host device that is desired to be utilized in the HostedCluster's NodePool - The device can be any supported PCI device, including GPU, either as a passthrough or a vGPU slice. - type: string - required: - - deviceName - type: object - type: array - networkInterfaceMultiqueue: - default: Enable - description: |- - NetworkInterfaceMultiQueue If set to "Enable", virtual network interfaces configured with a virtio bus will also - enable the vhost multiqueue feature for network devices. The number of queues created depends on additional - factors of the VirtualMachineInstance, like the number of guest CPUs. - enum: - - Enable - - Disable - type: string - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the kubevirt VirtualMachine to fit on a node. - Selector which must match a node's labels for the VM to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - rootVolume: - default: - persistent: - size: 32Gi - type: Persistent - description: RootVolume represents values associated with - the VM volume that will host rhcos - properties: - cacheStrategy: - description: CacheStrategy defines the boot image caching - strategy. Default - no caching - properties: - type: - default: None - description: Type is the type of the caching strategy - enum: - - None - - PVC - type: string - required: - - type - type: object - diskImage: - description: Image represents what rhcos image to use - for the node pool - properties: - containerDiskImage: - description: ContainerDiskImage is a string representing - the container image that holds the root disk - type: string - type: object - persistent: - description: |- - Persistent volume type means the VM's storage is backed by a PVC - VMs that use persistent volumes can survive disruption events like restart and eviction - This is the default type used when no storage type is defined. - properties: - accessModes: - description: |- - AccessModes is an array that contains the desired Access Modes the root volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes - items: - enum: - - ReadWriteOnce - - ReadWriteMany - - ReadOnly - - ReadWriteOncePod - type: string - type: array - size: - anyOf: - - type: integer - - type: string - default: 32Gi - description: Size is the size of the persistent storage - volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - storageClass: - description: StorageClass is the storageClass used - for the underlying PVC that hosts the volume - type: string - volumeMode: - description: |- - VolumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - enum: - - Filesystem - - Block - type: string - type: object - type: - default: Persistent - description: Type represents the type of storage to associate - with the kubevirt VMs. - enum: - - Persistent - type: string - type: object - required: - - rootVolume - type: object - openstack: - description: OpenStack specifies the configuration used when using - OpenStack platform. - properties: - availabilityZone: - description: |- - availabilityZone is the nova availability zone in which the provider will create the VM. - If not specified, the VM will be created in the default availability zone specified in the nova configuration. - Availability zone names must NOT contain : since it is used by admin users to specify hosts where instances - are launched in server creation. Also, it must not contain spaces otherwise it will lead to node that belongs - to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. - The maximum length of availability zone name is 63 as per labels limits. - maxLength: 63 - minLength: 1 - pattern: '^[^: ]*$' - type: string - flavor: - description: Flavor is the OpenStack flavor to use for the - node instances. - type: string - imageName: - description: |- - ImageName is the OpenStack Glance image name to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - required: - - flavor - type: object - powervs: - description: PowerVS specifies the configuration used when using - IBMCloud PowerVS platform. - properties: - image: - description: |- - Image used for deploying the nodes. If unspecified, the default - is chosen based on the NodePool release payload image. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - imageDeletePolicy: - default: delete - description: |- - ImageDeletePolicy is policy for the image deletion. - - delete: delete the image from the infrastructure. - retain: delete the image from the openshift but retain in the infrastructure. - - The default is delete - enum: - - delete - - retain - type: string - memoryGiB: - default: 32 - description: |- - MemoryGiB is the size of a virtual machine's memory, in GiB. - maximum value for the MemoryGiB depends on the selected SystemType. - when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. - when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. - when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. - The minimum memory is 32 GiB. - - When omitted, this means the user has no opinion and the platform is left to choose a reasonable - default. The current default is 32. - format: int32 - type: integer - processorType: - default: shared - description: |- - ProcessorType is the VM instance processor type. - It must be set to one of the following values: Dedicated, Capped or Shared. - - Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. - Shared: Shared among other clients. - Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. - - if the processorType is selected as Dedicated, then Processors value cannot be fractional. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is shared. - enum: - - dedicated - - shared - - capped - type: string - processors: - anyOf: - - type: integer - - type: string - default: "0.5" - description: |- - Processors is the number of virtual processors in a virtual machine. - when the processorType is selected as Dedicated the processors value cannot be fractional. - maximum value for the Processors depends on the selected SystemType. - when SystemType is set to e880 or e980 maximum Processors value is 143. - when SystemType is set to s922 maximum Processors value is 15. - minimum value for Processors depends on the selected ProcessorType. - when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. - when ProcessorType is set as Dedicated, The minimum processors is 1. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The default is set based on the selected ProcessorType. - when ProcessorType selected as Dedicated, the default is set to 1. - when ProcessorType selected as Shared or Capped, the default is set to 0.5. - x-kubernetes-int-or-string: true - storageType: - default: tier1 - description: |- - StorageType for the image and nodes, this will be ignored if Image is specified. - The storage tiers in PowerVS are based on I/O operations per second (IOPS). - It means that the performance of your storage volumes is limited to the maximum number of IOPS based on volume size and storage tier. - Although, the exact numbers might change over time, the Tier 3 storage is currently set to 3 IOPS/GB, and the Tier 1 storage is currently set to 10 IOPS/GB. - - The default is tier1 - enum: - - tier1 - - tier3 - type: string - systemType: - default: s922 - description: |- - SystemType is the System type used to host the instance. - systemType determines the number of cores and memory that is available. - Few of the supported SystemTypes are s922,e880,e980. - e880 systemType available only in Dallas Datacenters. - e980 systemType available in Datacenters except Dallas and Washington. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is s922 which is generally available. - type: string - type: object - type: - description: Type specifies the platform name. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - release: - description: |- - release specifies the OCP release used for the NodePool. This informs the - ignition configuration for machines which includes the kubelet version, as well as other platform specific - machine properties (e.g. an AMI on the AWS platform). - It's not supported to use a release in a NodePool which minor version skew against the Control Plane release is bigger than N-2. Although there's no enforcement that prevents this from happening. - Attempting to use a release with a bigger skew might result in unpredictable behaviour. - Attempting to use a release higher than the HosterCluster one will result in the NodePool being degraded and the ValidReleaseImage condition being false. - Attempting to use a release lower than the current NodePool y-stream will result in the NodePool being degraded and the ValidReleaseImage condition being false. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - replicas: - description: |- - replicas is the desired number of nodes the pool should maintain. If unset, the controller default value is 0. - replicas is mutually exclusive with autoscaling. If autoscaling is configured, replicas must be omitted and autoscaling will control the NodePool size internally. - format: int32 - type: integer - taints: - description: |- - taints if specified, propagates a list of taints to Nodes, only once on creation. - These taints are additive to the ones applied by other controllers - items: - description: |- - taint is as v1 Core but without TimeAdded. - https://github.com/kubernetes/kubernetes/blob/ed8cad1e80d096257921908a52ac69cf1f41a098/staging/src/k8s.io/api/core/v1/types.go#L3037-L3053 - Validation replicates the same validation as the upstream https://github.com/kubernetes/kubernetes/blob/9a2a7537f035969a68e432b4cc276dbce8ce1735/pkg/util/taints/taints.go#L273. - See also https://kubernetes.io/docs/concepts/overview/working-with-objects/names/. - properties: - effect: - description: |- - effect is the effect of the taint on pods - that do not tolerate the taint. - Valid effects are NoSchedule, PreferNoSchedule and NoExecute. - enum: - - NoSchedule - - PreferNoSchedule - - NoExecute - type: string - key: - description: key is the taint key to be applied to a node. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must be a qualified name with an optional subdomain - prefix e.g. example.com/MyName - rule: self.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/)?[A-Za-z0-9]([-A-Za-z0-9_.]{0,61}[A-Za-z0-9])?$') - value: - description: value is the taint value corresponding to the taint - key. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: Value must start and end with alphanumeric characters - and can only contain '-', '_', '.' in the middle - rule: self.matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$') - required: - - effect - - key - type: object - maxItems: 50 - type: array - tuningConfig: - description: |- - tuningConfig is a list of references to ConfigMaps containing serialized - Tuned or PerformanceProfile resources to define the tuning configuration to be applied to - nodes in the NodePool. The Tuned API is defined here: - - https://github.com/openshift/cluster-node-tuning-operator/blob/2c76314fb3cc8f12aef4a0dcd67ddc3677d5b54f/pkg/apis/tuned/v1/tuned_types.go - - The PerformanceProfile API is defined here: - https://github.com/openshift/cluster-node-tuning-operator/tree/b41042d42d4ba5bb2e99960248cf1d6ae4935018/pkg/apis/performanceprofile/v2 - - Each ConfigMap must have a single key named "tuning" whose value is the - JSON or YAML of a serialized Tuned or PerformanceProfile. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - required: - - clusterName - - management - - platform - - release - type: object - x-kubernetes-validations: - - message: Arch is required once set - rule: '!has(oldSelf.arch) || has(self.arch)' - - message: Setting Arch to arm64 is only supported for AWS and Azure - rule: self.arch != 'arm64' || has(self.platform.aws) || has(self.platform.azure) - - message: Both replicas or autoScaling should not be set - rule: '!has(self.replicas) || !has(self.autoScaling)' - status: - description: Status is the latest observed status of the NodePool. - properties: - conditions: - description: |- - Conditions represents the latest available observations of the node pool's - current state. - items: - description: |- - We define our own condition type since metav1.Condition has validation - for Reason that might be broken by what we bubble up from CAPI. - NodePoolCondition defines an observation of NodePool resource operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - observedGeneration: - format: int64 - minimum: 0 - type: integer - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may not be empty. - type: string - severity: - description: |- - Severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: |- - Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - platform: - description: Platform hols the specific statuses - properties: - kubeVirt: - description: KubeVirt contains the KubeVirt platform statuses - properties: - cacheName: - description: CacheName holds the name of the cache DataVolume, - if exists - type: string - credentials: - description: |- - Credentials shows the client credentials used when creating KubeVirt virtual machines. - This filed is only exists when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - type: object - type: object - replicas: - description: Replicas is the latest observed number of nodes in the - pool. - format: int32 - type: integer - version: - description: |- - Version is the semantic version of the latest applied release specified by - the NodePool. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-Default.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-Default.crd.yaml deleted file mode 100644 index b97fa984cc7..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-Default.crd.yaml +++ /dev/null @@ -1,1439 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: Default - name: nodepools.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: NodePool - listKind: NodePoolList - plural: nodepools - shortNames: - - np - - nps - singular: nodepool - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster - jsonPath: .spec.clusterName - name: Cluster - type: string - - description: Desired Nodes - jsonPath: .spec.replicas - name: Desired Nodes - type: integer - - description: Available Nodes - jsonPath: .status.replicas - name: Current Nodes - type: integer - - description: Autoscaling Enabled - jsonPath: .status.conditions[?(@.type=="AutoscalingEnabled")].status - name: Autoscaling - type: string - - description: Node Autorepair Enabled - jsonPath: .status.conditions[?(@.type=="AutorepairEnabled")].status - name: Autorepair - type: string - - description: Current version - jsonPath: .status.version - name: Version - type: string - - description: UpdatingVersion in progress - jsonPath: .status.conditions[?(@.type=="UpdatingVersion")].status - name: UpdatingVersion - type: string - - description: UpdatingConfig in progress - jsonPath: .status.conditions[?(@.type=="UpdatingConfig")].status - name: UpdatingConfig - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - NodePool is a scalable set of worker nodes attached to a HostedCluster. - NodePool machine architectures are uniform within a given pool, and are - independent of the control plane’s underlying machine architecture. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the NodePool. - properties: - arch: - default: amd64 - description: "arch is the preferred processor architecture for the - NodePool. Different platforms might have different supported architectures.\n\thttps://github.com/kubernetes/kubernetes/issues/108768#issuecomment-1253912215" - enum: - - arm64 - - amd64 - - ppc64le - type: string - x-kubernetes-validations: - - message: Arch is immutable - rule: self == oldSelf - autoScaling: - description: |- - autoscaling specifies auto-scaling behavior for the NodePool. - autoscaling is mutually exclusive with replicas. If replicas is set, this field must be ommited. - properties: - max: - description: Max is the maximum number of nodes allowed in the - pool. Must be >= 1 and >= Min. - format: int32 - minimum: 1 - type: integer - min: - description: Min is the minimum number of nodes to maintain in - the pool. Must be >= 1 and <= .Max. - format: int32 - minimum: 1 - type: integer - required: - - max - - min - type: object - x-kubernetes-validations: - - message: max must be equal or greater than min - rule: self.max >= self.min - clusterName: - description: |- - clusterName is the name of the HostedCluster this NodePool belongs to. - If a HostedCluster with this name doesn't exist, the controller will no-op until it exists. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: ClusterName is immutable - rule: self == oldSelf - - message: clusterName must consist of lowercase alphanumeric characters - or '-', start and end with an alphanumeric character, and be between - 1 and 253 characters - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') - config: - description: |- - config is a list of references to ConfigMaps containing serialized - MachineConfig resources to be injected into the ignition configurations of - nodes in the NodePool. The MachineConfig API schema is defined here: - - https://github.com/openshift/machine-config-operator/blob/18963e4f8fe66e8c513ca4b131620760a414997f/pkg/apis/machineconfiguration.openshift.io/v1/types.go#L185 - - Each ConfigMap must have a single key named "config" whose value is the YML - with one or more serialized machineconfiguration.openshift.io resources: - - * KubeletConfig - * ContainerRuntimeConfig - * MachineConfig - * ClusterImagePolicy - * ImageContentSourcePolicy - * ImageDigestMirrorSet - - This is validated in the backend and signaled back via validMachineConfig condition. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - management: - description: |- - management specifies behavior for managing nodes in the pool, such as - upgrade strategies and auto-repair behaviors. - properties: - autoRepair: - default: false - description: |- - autoRepair specifies whether health checks should be enabled for machines in the NodePool. The default is false. - Enabling this feature will cause the controller to automatically delete unhealthy machines. - The unhealthy criteria is reserved for the controller implementation and subject to change. - But generally it's determined by checking the Node ready condition is true and a timeout that might vary depending on the platform provider. - AutoRepair will no-op when more than 2 Nodes are unhealthy at the same time. Giving time for the cluster to stabilize or to the user to manually intervene. - type: boolean - inPlace: - description: inPlace is the configuration for in-place upgrades. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - Defaults to 1. - - Example: when this is set to 30%, a max of 30% of the nodes can be made - unschedulable/unavailable immediately when the update starts. Once a set - of nodes is updated, more nodes can be made unschedulable for update, - ensuring that the total number of nodes schedulable at all times during - the update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - replace: - default: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - strategy: RollingUpdate - description: |- - replace is the configuration for rolling upgrades. - It defaults to a RollingUpdate strategy with maxSurge of 1 and maxUnavailable of 0. - properties: - rollingUpdate: - description: |- - rollingUpdate specifies a rolling update strategy which upgrades nodes by - creating new nodes and deleting the old ones. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - maxSurge is the maximum number of nodes that can be provisioned above the - desired number of nodes. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding up. - - This can not be 0 if MaxUnavailable is 0. - - Defaults to 1. - - Example: when this is set to 30%, new nodes can be provisioned immediately - when the rolling update starts, such that the total number of old and new - nodes do not exceed 130% of desired nodes. Once old nodes have been - deleted, new nodes can be provisioned, ensuring that total number of nodes - running at any time during the update is at most 130% of desired nodes. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - This can not be 0 if MaxSurge is 0. - - Defaults to 0. - - Example: when this is set to 30%, old nodes can be deleted down to 70% of - desired nodes immediately when the rolling update starts. Once new nodes - are ready, more old nodes be deleted, followed by provisioning new nodes, - ensuring that the total number of nodes available at all times during the - update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - strategy: - description: |- - strategy is the node replacement strategy for nodes in the pool. - In can be either "RollingUpdate" or "OnDelete". RollingUpdate will rollout Nodes honoring maxSurge and maxUnavailable. - OnDelete provide more granular control and will replace nodes as the old ones are manually deleted. - enum: - - RollingUpdate - - OnDelete - type: string - type: object - x-kubernetes-validations: - - message: The 'rollingUpdate' field can only be set when 'strategy' - is 'RollingUpdate' - rule: '!has(self.rollingUpdate) || self.strategy == ''RollingUpdate''' - upgradeType: - description: |- - upgradeType specifies the type of strategy for handling upgrades. - This can be either "Replace" or "InPlace". - "Replace" will update Nodes by recreating the underlying instances. - "InPlace" will update Nodes by applying changes to the existing instances. This might or might not result in a reboot. - enum: - - Replace - - InPlace - type: string - x-kubernetes-validations: - - message: UpgradeType is immutable - rule: self == oldSelf - required: - - upgradeType - type: object - x-kubernetes-validations: - - message: The 'inPlace' field can only be set when 'upgradeType' - is 'InPlace' - rule: '!has(self.inPlace) || self.upgradeType == ''InPlace''' - nodeDrainTimeout: - description: |- - nodeDrainTimeout is the maximum amount of time that the controller will spend on retrying to drain a node until it succeeds. - The default value is 0, meaning that the node can retry drain without any time limitations. - type: string - nodeLabels: - additionalProperties: - type: string - description: |- - nodeLabels propagates a list of labels to Nodes, only once on creation. - Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - nodeVolumeDetachTimeout: - description: |- - nodeVolumeDetachTimeout is the maximum amount of time that the controller will spend on detaching volumes from a node. - The default value is 0, meaning that the volumes will be detached from the node without any time limitations. - After the timeout, any remaining attached volumes will be ignored and the removal of the machine will continue. - type: string - pausedUntil: - description: |- - pausedUntil is a field that can be used to pause reconciliation on the NodePool controller. Resulting in any change to the NodePool being ignored. - Either a date can be provided in RFC3339 format or a boolean as in 'true', 'false', 'True', 'False'. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - maxLength: 35 - minLength: 1 - type: string - x-kubernetes-validations: - - message: PausedUntil must be a date in RFC3339 format or 'True', - 'true', 'False' or 'false' - rule: self.matches('^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.*$') - || self in ['true', 'false', 'True', 'False'] - platform: - description: |- - platform specifies the underlying infrastructure provider for the NodePool - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies the configuration used when using - Agent platform. - properties: - agentLabelSelector: - description: |- - AgentLabelSelector contains labels that must be set on an Agent in order to - be selected for a Machine. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - aws: - description: AWS specifies the configuration used when operating - on AWS. - properties: - ami: - description: |- - AMI is the image id to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - instanceProfile: - description: InstanceProfile is the AWS EC2 instance profile, - which is a container for an IAM role that the EC2 instance - uses. - type: string - instanceType: - description: InstanceType is an ec2 instance type for node - instances (e.g. m5.large). - type: string - placement: - description: placement specifies the placement options for - the EC2 instances. - properties: - tenancy: - description: |- - Tenancy indicates if instance should run on shared or single-tenant hardware. - - Possible values: - default: NodePool instances run on shared hardware. - dedicated: Each NodePool instance runs on single-tenant hardware. - host: NodePool instances run on user's pre-allocated dedicated hosts. - enum: - - default - - dedicated - - host - type: string - type: object - resourceTags: - description: |- - ResourceTags is an optional list of additional tags to apply to AWS node - instances. - - These will be merged with HostedCluster scoped tags, and HostedCluster tags - take precedence in case of conflicts. - - See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rootVolume: - description: RootVolume specifies configuration for the root - volume of node instances. - properties: - encrypted: - description: Encrypted is whether the volume should be - encrypted or not. - type: boolean - x-kubernetes-validations: - - message: Encrypted is immutable - rule: self == oldSelf - encryptionKey: - description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. - type: string - iops: - description: |- - IOPS is the number of IOPS requested for the disk. This is only valid - for type io1. - format: int64 - type: integer - size: - description: |- - Size specifies size (in Gi) of the storage device. - - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - type: - description: Type is the type of the volume. - type: string - required: - - size - - type - type: object - securityGroups: - description: |- - SecurityGroups is an optional set of security groups to associate with node - instances. - items: - description: |- - AWSResourceReference is a reference to a specific AWS resource by ID or filters. - Only one of ID or Filters may be specified. Specifying more than one will result in - a validation error. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - type: array - subnet: - description: Subnet is the subnet to use for node instances. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names are - case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - x-kubernetes-validations: - - message: subnet is invalid, a valid subnet id or filters - must be set, but not both - rule: 'has(self.id) && self.id.startsWith(''subnet-'') ? - !has(self.filters) : size(self.filters) > 0' - required: - - instanceType - - subnet - type: object - azure: - description: AzureNodePoolPlatform is the platform specific configuration - for an Azure node pool. - properties: - availabilityZone: - description: |- - availabilityZone is the failure domain identifier where the VM should be attached to. This must not be specified - for clusters in a location that does not support AvailabilityZone because it would cause a failure from Azure API. - type: string - diagnostics: - description: |- - diagnostics specifies the diagnostics settings for a virtual machine. - If not specified, then Boot diagnostics will be disabled. - properties: - storageAccountType: - allOf: - - enum: - - Managed - - UserManaged - - Disabled - - enum: - - Managed - - UserManaged - - Disabled - default: Disabled - description: |- - storageAccountType determines if the storage account for storing the diagnostics data - should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). - type: string - userManaged: - description: userManaged specifies the diagnostics settings - for a virtual machine when the storage account is managed - by the user. - properties: - storageAccountURI: - description: |- - storageAccountURI is the URI of the user-managed storage account. - The URI typically will be `https://.blob.core.windows.net/` - but may differ if you are using Azure DNS zone endpoints. - You can find the correct endpoint by looking for the Blob Primary Endpoint in the - endpoints tab in the Azure console or with the CLI by issuing - `az storage account list --query='[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}'`. - maxLength: 1024 - type: string - x-kubernetes-validations: - - message: storageAccountURI must be a valid HTTPS - URL - rule: isURL(self) && url(self).getScheme() == 'https' - required: - - storageAccountURI - type: object - type: object - x-kubernetes-validations: - - message: userManaged is required when storageAccountType - is UserManaged, and forbidden otherwise - rule: 'self.storageAccountType == ''UserManaged'' ? has(self.userManaged) - : !has(self.userManaged)' - encryptionAtHost: - default: Enabled - description: |- - encryptionAtHost enables encryption at host on virtual machines. According to Microsoft documentation, this - means data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. See - https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell - for more information. - enum: - - Enabled - - Disabled - type: string - image: - description: |- - image is used to configure the VM boot image. If unset, the default image at the location below will be used and - is expected to exist: subscription//resourceGroups//providers/Microsoft.Compute/images/rhcos.x86_64.vhd. - The and the are expected to be the same resource group documented in the - Hosted Cluster specification respectively, HostedCluster.Spec.Platform.Azure.SubscriptionID and - HostedCluster.Spec.Platform.Azure.ResourceGroupName. - properties: - azureMarketplace: - description: azureMarketplace contains the Azure Marketplace - image info to use to boot the Azure VMs from. - properties: - offer: - description: offer specifies the name of a group of - related images created by the publisher. - minLength: 1 - type: string - publisher: - description: |- - publisher is the name of the organization that created the image. - It must be between 3 and 50 characters in length, and consist of only lowercase letters, numbers, and hyphens (-) and underscores (_). - It must start with a lowercase letter or a number. - maxLength: 50 - minLength: 3 - pattern: ^[a-z0-9][a-z0-9-_]{2,49}$ - type: string - sku: - description: |- - sku specifies an instance of an offer, such as a major release of a distribution. - For example, 22_04-lts-gen2, 8-lvm-gen2. - The value must consist only of lowercase letters, numbers, and hyphens (-) and underscores (_). - minLength: 1 - pattern: ^[a-z0-9-_]+$ - type: string - version: - description: |- - version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, - Minor, and Build are decimal numbers, e.g. '1.2.0'. Specify 'latest' to use the latest version of an image available at - deployment time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a - new version becomes available. - maxLength: 32 - minLength: 1 - pattern: ^[0-9]+\.[0-9]+\.[0-9]+$|^latest$ - type: string - required: - - offer - - publisher - - sku - - version - type: object - imageID: - description: imageID is the Azure resource ID of a VHD - image to use to boot the Azure VMs from. - type: string - type: - description: |- - type is the type of image data that will be provided to the Azure VM. - Valid values are "ImageID" and "AzureMarketplace". - ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. - AzureMarketplace means the VM will boot from an Azure Marketplace image. - Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. - enum: - - ImageID - - AzureMarketplace - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: imageID is required when type is ImageID, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''ImageID'' ? has(self.imageID) - : !has(self.imageID)' - - message: azureMarketplace is required when type is RequiredMember, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AzureMarketplace'' - ? has(self.azureMarketplace) : !has(self.azureMarketplace)' - machineIdentityID: - description: | - machineIdentityID is a user-assigned identity assigned to the VMs used to authenticate with Azure services. The - identify is expected to exist under the same resource group as HostedCluster.Spec.Platform.Azure.ResourceGroupName. This - user assigned identity is expected to have the Contributor role assigned to it and scoped to the resource group - under HostedCluster.Spec.Platform.Azure.ResourceGroupName. - - If this field is not supplied, the Service Principal credentials will be written to a file on the disk of each VM - in order to be accessible by the cloud provider; the aforementioned credentials provided are the same ones as - HostedCluster.Spec.Platform.Azure.Credentials. However, this is less secure than using a managed identity. - type: string - osDisk: - description: |- - osDisk provides configuration for the OS disk for the nodepool. - This can be used to configure the size, storage account type, encryption options and whether the disk is persistent or ephemeral. - When not provided, the platform will choose reasonable defaults which are subject to change over time. - Review the fields within the osDisk for more details. - properties: - diskStorageAccountType: - description: |- - storageAccountType is the disk storage account type to use. - Valid values are Standard, StandardSSD, PremiumSSD and UltraSSD and omitted. - Note that Standard means a HDD. - The disk performance is tied to the disk type, please refer to the Azure documentation for further details - https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison. - When omitted this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is PremiumSSD. - enum: - - Standard - - StandardSSD - - PremiumSSD - - UltraSSD - type: string - encryptionSetID: - description: |- - encryptionSetID is the ID of the DiskEncryptionSet resource to use to encrypt the OS disks for the VMs. - Configuring a DiskEncyptionSet allows greater control over the encryption of the VM OS disk at rest. - Can be used with either platform (Azure) managed, or customer managed encryption keys. - This needs to exist in the same subscription id listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.SubscriptionID. - DiskEncryptionSetID should also exist in a resource group under the same subscription id and the same location - listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.Location. - The encryptionSetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The resourceName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores. - maxLength: 285 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}` - rule: size(self.split('/')) == 9 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Compute/diskEncryptionSets/.*$') - - message: The resourceGroupName should be between 1 and - 90 characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the encryptionSetID - must not end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The resourceName should be between 1 and 80 - characters, consisting only of alphanumeric characters, - hyphens and underscores - rule: self.split('/')[8].matches('[a-zA-Z0-9-_]{1,80}') - persistence: - description: |- - persistence determines whether the OS disk should be persisted beyond the life of the VM. - Valid values are Persistent and Ephemeral. - When set to Ephmeral, the OS disk will not be persisted to Azure storage and implies restrictions to the VM size and caching type. - Full details can be found in the Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks. - Ephmeral disks are primarily used for stateless applications, provide lower latency than Persistent disks and also incur no storage costs. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - enum: - - Persistent - - Ephemeral - type: string - sizeGiB: - description: |- - SizeGiB is the size in GiB (1024^3 bytes) to assign to the OS disk. - This should be between 16 and 65,536 when using the UltraSSD storage account type and between 16 and 32,767 when using any other storage account type. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 30. - format: int32 - maximum: 65536 - minimum: 16 - type: integer - type: object - x-kubernetes-validations: - - message: When not using storageAccountType UltraSSD, the - SizeGB value must be less than or equal to 32,767 - rule: '!has(self.diskStorageAccountType) || self.diskStorageAccountType - != ''UltraSSD'' || self.sizeGiB <= 32767' - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - vmSize: - description: |- - vmSize is the Azure VM instance type to use for the nodes being created in the nodepool. - The size naming convention is documented here https://learn.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions. - Size names should start with a Family name, which is represented by one of more capital letters, and then be followed by the CPU count. - This is followed by 0 or more additional features, represented by a, b, d, i, l, m, p, t, s, C, and NP, refer to the Azure documentation for an explanation of these features. - Optionally an accelerator such as a GPU can be added, prefixed by an underscore, for example A100, H100 or MI300X. - The size may also be versioned, in which case it should be suffixed with _v where the version is a number. - For example, "D32ads_v5" would be a suitable general purpose VM size, or "ND96_MI300X_v5" would represent a GPU accelerated VM. - pattern: ^(Standard_|Basic_)?[A-Z]+[0-9]+(-[0-9]+)?[abdilmptsCNP]*(_[A-Z]*[0-9]+[A-Z]*)?(_v[0-9]+)?$ - type: string - required: - - image - - osDisk - - subnetID - - vmSize - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: Kubevirt specifies the configuration used when operating - on KubeVirt platform. - properties: - additionalNetworks: - description: AdditionalNetworks specify the extra networks - attached to the nodes - items: - description: |- - KubevirtNetwork specifies the configuration for a virtual machine - network interface - properties: - name: - description: |- - Name specify the network attached to the nodes - it is a value with the format "[namespace]/[name]" to reference the - multus network attachment definition - type: string - required: - - name - type: object - type: array - attachDefaultNetwork: - default: true - description: |- - AttachDefaultNetwork specify if the default pod network should be attached to the nodes - this can only be set to false if AdditionalNetworks are configured - type: boolean - compute: - default: - cores: 2 - memory: 8Gi - description: Compute contains values representing the virtual - hardware requested for the VM - properties: - cores: - default: 2 - description: Cores represents how many cores the guest - VM should have - format: int32 - type: integer - memory: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Memory represents how much guest memory the - VM should have - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - qosClass: - default: Burstable - description: |- - QosClass If set to "Guaranteed", requests the scheduler to place the VirtualMachineInstance on a node with - limit memory and CPU, equal to be the requested values, to set the VMI as a Guaranteed QoS Class; - See here for more details: - https://kubevirt.io/user-guide/operations/node_overcommit/#requesting-the-right-qos-class-for-virtualmachineinstances - enum: - - Burstable - - Guaranteed - type: string - type: object - hostDevices: - description: |- - KubevirtHostDevices specifies the host devices (e.g. GPU devices) to be passed - from the management cluster, to the nodepool nodes - items: - properties: - count: - default: 1 - description: |- - Count is the number of instances the specified host device will be attached to each of the - NodePool's nodes. Default is 1. - minimum: 1 - type: integer - deviceName: - description: |- - DeviceName is the name of the host device that is desired to be utilized in the HostedCluster's NodePool - The device can be any supported PCI device, including GPU, either as a passthrough or a vGPU slice. - type: string - required: - - deviceName - type: object - type: array - networkInterfaceMultiqueue: - default: Enable - description: |- - NetworkInterfaceMultiQueue If set to "Enable", virtual network interfaces configured with a virtio bus will also - enable the vhost multiqueue feature for network devices. The number of queues created depends on additional - factors of the VirtualMachineInstance, like the number of guest CPUs. - enum: - - Enable - - Disable - type: string - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the kubevirt VirtualMachine to fit on a node. - Selector which must match a node's labels for the VM to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - rootVolume: - default: - persistent: - size: 32Gi - type: Persistent - description: RootVolume represents values associated with - the VM volume that will host rhcos - properties: - cacheStrategy: - description: CacheStrategy defines the boot image caching - strategy. Default - no caching - properties: - type: - default: None - description: Type is the type of the caching strategy - enum: - - None - - PVC - type: string - required: - - type - type: object - diskImage: - description: Image represents what rhcos image to use - for the node pool - properties: - containerDiskImage: - description: ContainerDiskImage is a string representing - the container image that holds the root disk - type: string - type: object - persistent: - description: |- - Persistent volume type means the VM's storage is backed by a PVC - VMs that use persistent volumes can survive disruption events like restart and eviction - This is the default type used when no storage type is defined. - properties: - accessModes: - description: |- - AccessModes is an array that contains the desired Access Modes the root volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes - items: - enum: - - ReadWriteOnce - - ReadWriteMany - - ReadOnly - - ReadWriteOncePod - type: string - type: array - size: - anyOf: - - type: integer - - type: string - default: 32Gi - description: Size is the size of the persistent storage - volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - storageClass: - description: StorageClass is the storageClass used - for the underlying PVC that hosts the volume - type: string - volumeMode: - description: |- - VolumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - enum: - - Filesystem - - Block - type: string - type: object - type: - default: Persistent - description: Type represents the type of storage to associate - with the kubevirt VMs. - enum: - - Persistent - type: string - type: object - required: - - rootVolume - type: object - powervs: - description: PowerVS specifies the configuration used when using - IBMCloud PowerVS platform. - properties: - image: - description: |- - Image used for deploying the nodes. If unspecified, the default - is chosen based on the NodePool release payload image. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - imageDeletePolicy: - default: delete - description: |- - ImageDeletePolicy is policy for the image deletion. - - delete: delete the image from the infrastructure. - retain: delete the image from the openshift but retain in the infrastructure. - - The default is delete - enum: - - delete - - retain - type: string - memoryGiB: - default: 32 - description: |- - MemoryGiB is the size of a virtual machine's memory, in GiB. - maximum value for the MemoryGiB depends on the selected SystemType. - when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. - when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. - when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. - The minimum memory is 32 GiB. - - When omitted, this means the user has no opinion and the platform is left to choose a reasonable - default. The current default is 32. - format: int32 - type: integer - processorType: - default: shared - description: |- - ProcessorType is the VM instance processor type. - It must be set to one of the following values: Dedicated, Capped or Shared. - - Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. - Shared: Shared among other clients. - Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. - - if the processorType is selected as Dedicated, then Processors value cannot be fractional. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is shared. - enum: - - dedicated - - shared - - capped - type: string - processors: - anyOf: - - type: integer - - type: string - default: "0.5" - description: |- - Processors is the number of virtual processors in a virtual machine. - when the processorType is selected as Dedicated the processors value cannot be fractional. - maximum value for the Processors depends on the selected SystemType. - when SystemType is set to e880 or e980 maximum Processors value is 143. - when SystemType is set to s922 maximum Processors value is 15. - minimum value for Processors depends on the selected ProcessorType. - when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. - when ProcessorType is set as Dedicated, The minimum processors is 1. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The default is set based on the selected ProcessorType. - when ProcessorType selected as Dedicated, the default is set to 1. - when ProcessorType selected as Shared or Capped, the default is set to 0.5. - x-kubernetes-int-or-string: true - storageType: - default: tier1 - description: |- - StorageType for the image and nodes, this will be ignored if Image is specified. - The storage tiers in PowerVS are based on I/O operations per second (IOPS). - It means that the performance of your storage volumes is limited to the maximum number of IOPS based on volume size and storage tier. - Although, the exact numbers might change over time, the Tier 3 storage is currently set to 3 IOPS/GB, and the Tier 1 storage is currently set to 10 IOPS/GB. - - The default is tier1 - enum: - - tier1 - - tier3 - type: string - systemType: - default: s922 - description: |- - SystemType is the System type used to host the instance. - systemType determines the number of cores and memory that is available. - Few of the supported SystemTypes are s922,e880,e980. - e880 systemType available only in Dallas Datacenters. - e980 systemType available in Datacenters except Dallas and Washington. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is s922 which is generally available. - type: string - type: object - type: - description: Type specifies the platform name. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - release: - description: |- - release specifies the OCP release used for the NodePool. This informs the - ignition configuration for machines which includes the kubelet version, as well as other platform specific - machine properties (e.g. an AMI on the AWS platform). - It's not supported to use a release in a NodePool which minor version skew against the Control Plane release is bigger than N-2. Although there's no enforcement that prevents this from happening. - Attempting to use a release with a bigger skew might result in unpredictable behaviour. - Attempting to use a release higher than the HosterCluster one will result in the NodePool being degraded and the ValidReleaseImage condition being false. - Attempting to use a release lower than the current NodePool y-stream will result in the NodePool being degraded and the ValidReleaseImage condition being false. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - replicas: - description: |- - replicas is the desired number of nodes the pool should maintain. If unset, the controller default value is 0. - replicas is mutually exclusive with autoscaling. If autoscaling is configured, replicas must be omitted and autoscaling will control the NodePool size internally. - format: int32 - type: integer - taints: - description: |- - taints if specified, propagates a list of taints to Nodes, only once on creation. - These taints are additive to the ones applied by other controllers - items: - description: |- - taint is as v1 Core but without TimeAdded. - https://github.com/kubernetes/kubernetes/blob/ed8cad1e80d096257921908a52ac69cf1f41a098/staging/src/k8s.io/api/core/v1/types.go#L3037-L3053 - Validation replicates the same validation as the upstream https://github.com/kubernetes/kubernetes/blob/9a2a7537f035969a68e432b4cc276dbce8ce1735/pkg/util/taints/taints.go#L273. - See also https://kubernetes.io/docs/concepts/overview/working-with-objects/names/. - properties: - effect: - description: |- - effect is the effect of the taint on pods - that do not tolerate the taint. - Valid effects are NoSchedule, PreferNoSchedule and NoExecute. - enum: - - NoSchedule - - PreferNoSchedule - - NoExecute - type: string - key: - description: key is the taint key to be applied to a node. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must be a qualified name with an optional subdomain - prefix e.g. example.com/MyName - rule: self.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/)?[A-Za-z0-9]([-A-Za-z0-9_.]{0,61}[A-Za-z0-9])?$') - value: - description: value is the taint value corresponding to the taint - key. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: Value must start and end with alphanumeric characters - and can only contain '-', '_', '.' in the middle - rule: self.matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$') - required: - - effect - - key - type: object - maxItems: 50 - type: array - tuningConfig: - description: |- - tuningConfig is a list of references to ConfigMaps containing serialized - Tuned or PerformanceProfile resources to define the tuning configuration to be applied to - nodes in the NodePool. The Tuned API is defined here: - - https://github.com/openshift/cluster-node-tuning-operator/blob/2c76314fb3cc8f12aef4a0dcd67ddc3677d5b54f/pkg/apis/tuned/v1/tuned_types.go - - The PerformanceProfile API is defined here: - https://github.com/openshift/cluster-node-tuning-operator/tree/b41042d42d4ba5bb2e99960248cf1d6ae4935018/pkg/apis/performanceprofile/v2 - - Each ConfigMap must have a single key named "tuning" whose value is the - JSON or YAML of a serialized Tuned or PerformanceProfile. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - required: - - clusterName - - management - - platform - - release - type: object - x-kubernetes-validations: - - message: Arch is required once set - rule: '!has(oldSelf.arch) || has(self.arch)' - - message: Setting Arch to arm64 is only supported for AWS and Azure - rule: self.arch != 'arm64' || has(self.platform.aws) || has(self.platform.azure) - - message: Both replicas or autoScaling should not be set - rule: '!has(self.replicas) || !has(self.autoScaling)' - status: - description: Status is the latest observed status of the NodePool. - properties: - conditions: - description: |- - Conditions represents the latest available observations of the node pool's - current state. - items: - description: |- - We define our own condition type since metav1.Condition has validation - for Reason that might be broken by what we bubble up from CAPI. - NodePoolCondition defines an observation of NodePool resource operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - observedGeneration: - format: int64 - minimum: 0 - type: integer - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may not be empty. - type: string - severity: - description: |- - Severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: |- - Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - platform: - description: Platform hols the specific statuses - properties: - kubeVirt: - description: KubeVirt contains the KubeVirt platform statuses - properties: - cacheName: - description: CacheName holds the name of the cache DataVolume, - if exists - type: string - credentials: - description: |- - Credentials shows the client credentials used when creating KubeVirt virtual machines. - This filed is only exists when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - type: object - type: object - replicas: - description: Replicas is the latest observed number of nodes in the - pool. - format: int32 - type: integer - version: - description: |- - Version is the semantic version of the latest applied release specified by - the NodePool. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - status: {} diff --git a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-TechPreviewNoUpgrade.crd.yaml b/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-TechPreviewNoUpgrade.crd.yaml deleted file mode 100644 index d43061ae9de..00000000000 --- a/cmd/install/assets/hypershift-operator/zz_generated.crd-manifests/nodepools-TechPreviewNoUpgrade.crd.yaml +++ /dev/null @@ -1,1468 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api.openshift.io/merged-by-featuregates: "true" - include.release.openshift.io/ibm-cloud-managed: "true" - include.release.openshift.io/self-managed-high-availability: "true" - release.openshift.io/feature-set: TechPreviewNoUpgrade - name: nodepools.hypershift.openshift.io -spec: - group: hypershift.openshift.io - names: - kind: NodePool - listKind: NodePoolList - plural: nodepools - shortNames: - - np - - nps - singular: nodepool - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Cluster - jsonPath: .spec.clusterName - name: Cluster - type: string - - description: Desired Nodes - jsonPath: .spec.replicas - name: Desired Nodes - type: integer - - description: Available Nodes - jsonPath: .status.replicas - name: Current Nodes - type: integer - - description: Autoscaling Enabled - jsonPath: .status.conditions[?(@.type=="AutoscalingEnabled")].status - name: Autoscaling - type: string - - description: Node Autorepair Enabled - jsonPath: .status.conditions[?(@.type=="AutorepairEnabled")].status - name: Autorepair - type: string - - description: Current version - jsonPath: .status.version - name: Version - type: string - - description: UpdatingVersion in progress - jsonPath: .status.conditions[?(@.type=="UpdatingVersion")].status - name: UpdatingVersion - type: string - - description: UpdatingConfig in progress - jsonPath: .status.conditions[?(@.type=="UpdatingConfig")].status - name: UpdatingConfig - type: string - - description: Message - jsonPath: .status.conditions[?(@.type=="Ready")].message - name: Message - type: string - name: v1beta1 - schema: - openAPIV3Schema: - description: |- - NodePool is a scalable set of worker nodes attached to a HostedCluster. - NodePool machine architectures are uniform within a given pool, and are - independent of the control plane’s underlying machine architecture. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Spec is the desired behavior of the NodePool. - properties: - arch: - default: amd64 - description: "arch is the preferred processor architecture for the - NodePool. Different platforms might have different supported architectures.\n\thttps://github.com/kubernetes/kubernetes/issues/108768#issuecomment-1253912215" - enum: - - arm64 - - amd64 - - ppc64le - type: string - x-kubernetes-validations: - - message: Arch is immutable - rule: self == oldSelf - autoScaling: - description: |- - autoscaling specifies auto-scaling behavior for the NodePool. - autoscaling is mutually exclusive with replicas. If replicas is set, this field must be ommited. - properties: - max: - description: Max is the maximum number of nodes allowed in the - pool. Must be >= 1 and >= Min. - format: int32 - minimum: 1 - type: integer - min: - description: Min is the minimum number of nodes to maintain in - the pool. Must be >= 1 and <= .Max. - format: int32 - minimum: 1 - type: integer - required: - - max - - min - type: object - x-kubernetes-validations: - - message: max must be equal or greater than min - rule: self.max >= self.min - clusterName: - description: |- - clusterName is the name of the HostedCluster this NodePool belongs to. - If a HostedCluster with this name doesn't exist, the controller will no-op until it exists. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: ClusterName is immutable - rule: self == oldSelf - - message: clusterName must consist of lowercase alphanumeric characters - or '-', start and end with an alphanumeric character, and be between - 1 and 253 characters - rule: self.matches('^[a-z0-9]([-a-z0-9]*[a-z0-9])?$') - config: - description: |- - config is a list of references to ConfigMaps containing serialized - MachineConfig resources to be injected into the ignition configurations of - nodes in the NodePool. The MachineConfig API schema is defined here: - - https://github.com/openshift/machine-config-operator/blob/18963e4f8fe66e8c513ca4b131620760a414997f/pkg/apis/machineconfiguration.openshift.io/v1/types.go#L185 - - Each ConfigMap must have a single key named "config" whose value is the YML - with one or more serialized machineconfiguration.openshift.io resources: - - * KubeletConfig - * ContainerRuntimeConfig - * MachineConfig - * ClusterImagePolicy - * ImageContentSourcePolicy - * ImageDigestMirrorSet - - This is validated in the backend and signaled back via validMachineConfig condition. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - management: - description: |- - management specifies behavior for managing nodes in the pool, such as - upgrade strategies and auto-repair behaviors. - properties: - autoRepair: - default: false - description: |- - autoRepair specifies whether health checks should be enabled for machines in the NodePool. The default is false. - Enabling this feature will cause the controller to automatically delete unhealthy machines. - The unhealthy criteria is reserved for the controller implementation and subject to change. - But generally it's determined by checking the Node ready condition is true and a timeout that might vary depending on the platform provider. - AutoRepair will no-op when more than 2 Nodes are unhealthy at the same time. Giving time for the cluster to stabilize or to the user to manually intervene. - type: boolean - inPlace: - description: inPlace is the configuration for in-place upgrades. - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - Defaults to 1. - - Example: when this is set to 30%, a max of 30% of the nodes can be made - unschedulable/unavailable immediately when the update starts. Once a set - of nodes is updated, more nodes can be made unschedulable for update, - ensuring that the total number of nodes schedulable at all times during - the update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - replace: - default: - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - strategy: RollingUpdate - description: |- - replace is the configuration for rolling upgrades. - It defaults to a RollingUpdate strategy with maxSurge of 1 and maxUnavailable of 0. - properties: - rollingUpdate: - description: |- - rollingUpdate specifies a rolling update strategy which upgrades nodes by - creating new nodes and deleting the old ones. - properties: - maxSurge: - anyOf: - - type: integer - - type: string - description: |- - maxSurge is the maximum number of nodes that can be provisioned above the - desired number of nodes. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding up. - - This can not be 0 if MaxUnavailable is 0. - - Defaults to 1. - - Example: when this is set to 30%, new nodes can be provisioned immediately - when the rolling update starts, such that the total number of old and new - nodes do not exceed 130% of desired nodes. Once old nodes have been - deleted, new nodes can be provisioned, ensuring that total number of nodes - running at any time during the update is at most 130% of desired nodes. - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - description: |- - maxUnavailable is the maximum number of nodes that can be unavailable - during the update. - - Value can be an absolute number (ex: 5) or a percentage of desired nodes - (ex: 10%). - - Absolute number is calculated from percentage by rounding down. - - This can not be 0 if MaxSurge is 0. - - Defaults to 0. - - Example: when this is set to 30%, old nodes can be deleted down to 70% of - desired nodes immediately when the rolling update starts. Once new nodes - are ready, more old nodes be deleted, followed by provisioning new nodes, - ensuring that the total number of nodes available at all times during the - update is at least 70% of desired nodes. - x-kubernetes-int-or-string: true - type: object - strategy: - description: |- - strategy is the node replacement strategy for nodes in the pool. - In can be either "RollingUpdate" or "OnDelete". RollingUpdate will rollout Nodes honoring maxSurge and maxUnavailable. - OnDelete provide more granular control and will replace nodes as the old ones are manually deleted. - enum: - - RollingUpdate - - OnDelete - type: string - type: object - x-kubernetes-validations: - - message: The 'rollingUpdate' field can only be set when 'strategy' - is 'RollingUpdate' - rule: '!has(self.rollingUpdate) || self.strategy == ''RollingUpdate''' - upgradeType: - description: |- - upgradeType specifies the type of strategy for handling upgrades. - This can be either "Replace" or "InPlace". - "Replace" will update Nodes by recreating the underlying instances. - "InPlace" will update Nodes by applying changes to the existing instances. This might or might not result in a reboot. - enum: - - Replace - - InPlace - type: string - x-kubernetes-validations: - - message: UpgradeType is immutable - rule: self == oldSelf - required: - - upgradeType - type: object - x-kubernetes-validations: - - message: The 'inPlace' field can only be set when 'upgradeType' - is 'InPlace' - rule: '!has(self.inPlace) || self.upgradeType == ''InPlace''' - nodeDrainTimeout: - description: |- - nodeDrainTimeout is the maximum amount of time that the controller will spend on retrying to drain a node until it succeeds. - The default value is 0, meaning that the node can retry drain without any time limitations. - type: string - nodeLabels: - additionalProperties: - type: string - description: |- - nodeLabels propagates a list of labels to Nodes, only once on creation. - Valid values are those in https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#syntax-and-character-set - type: object - nodeVolumeDetachTimeout: - description: |- - nodeVolumeDetachTimeout is the maximum amount of time that the controller will spend on detaching volumes from a node. - The default value is 0, meaning that the volumes will be detached from the node without any time limitations. - After the timeout, any remaining attached volumes will be ignored and the removal of the machine will continue. - type: string - pausedUntil: - description: |- - pausedUntil is a field that can be used to pause reconciliation on the NodePool controller. Resulting in any change to the NodePool being ignored. - Either a date can be provided in RFC3339 format or a boolean as in 'true', 'false', 'True', 'False'. If a date is - provided: reconciliation is paused on the resource until that date. If the boolean true is - provided: reconciliation is paused on the resource until the field is removed. - maxLength: 35 - minLength: 1 - type: string - x-kubernetes-validations: - - message: PausedUntil must be a date in RFC3339 format or 'True', - 'true', 'False' or 'false' - rule: self.matches('^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}.*$') - || self in ['true', 'false', 'True', 'False'] - platform: - description: |- - platform specifies the underlying infrastructure provider for the NodePool - and is used to configure platform specific behavior. - properties: - agent: - description: Agent specifies the configuration used when using - Agent platform. - properties: - agentLabelSelector: - description: |- - AgentLabelSelector contains labels that must be set on an Agent in order to - be selected for a Machine. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: |- - A label selector requirement is a selector that contains values, a key, and an operator that - relates the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: |- - operator represents a key's relationship to a set of values. - Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: |- - values is an array of string values. If the operator is In or NotIn, - the values array must be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - x-kubernetes-list-type: atomic - required: - - key - - operator - type: object - type: array - x-kubernetes-list-type: atomic - matchLabels: - additionalProperties: - type: string - description: |- - matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, whose key field is "key", the - operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - type: object - aws: - description: AWS specifies the configuration used when operating - on AWS. - properties: - ami: - description: |- - AMI is the image id to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - instanceProfile: - description: InstanceProfile is the AWS EC2 instance profile, - which is a container for an IAM role that the EC2 instance - uses. - type: string - instanceType: - description: InstanceType is an ec2 instance type for node - instances (e.g. m5.large). - type: string - placement: - description: placement specifies the placement options for - the EC2 instances. - properties: - tenancy: - description: |- - Tenancy indicates if instance should run on shared or single-tenant hardware. - - Possible values: - default: NodePool instances run on shared hardware. - dedicated: Each NodePool instance runs on single-tenant hardware. - host: NodePool instances run on user's pre-allocated dedicated hosts. - enum: - - default - - dedicated - - host - type: string - type: object - resourceTags: - description: |- - ResourceTags is an optional list of additional tags to apply to AWS node - instances. - - These will be merged with HostedCluster scoped tags, and HostedCluster tags - take precedence in case of conflicts. - - See https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html for - information on tagging AWS resources. AWS supports a maximum of 50 tags per - resource. OpenShift reserves 25 tags for its use, leaving 25 tags available - for the user. - items: - description: AWSResourceTag is a tag to apply to AWS resources - created for the cluster. - properties: - key: - description: Key is the key of the tag. - maxLength: 128 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - value: - description: |- - Value is the value of the tag. - - Some AWS service do not support empty values. Since tags are added to - resources in many services, the length of the tag value must meet the - requirements of all services. - maxLength: 256 - minLength: 1 - pattern: ^[0-9A-Za-z_.:/=+-@]+$ - type: string - required: - - key - - value - type: object - maxItems: 25 - type: array - rootVolume: - description: RootVolume specifies configuration for the root - volume of node instances. - properties: - encrypted: - description: Encrypted is whether the volume should be - encrypted or not. - type: boolean - x-kubernetes-validations: - - message: Encrypted is immutable - rule: self == oldSelf - encryptionKey: - description: |- - EncryptionKey is the KMS key to use to encrypt the volume. Can be either a KMS key ID or ARN. - If Encrypted is set and this is omitted, the default AWS key will be used. - The key must already exist and be accessible by the controller. - type: string - iops: - description: |- - IOPS is the number of IOPS requested for the disk. This is only valid - for type io1. - format: int64 - type: integer - size: - description: |- - Size specifies size (in Gi) of the storage device. - - Must be greater than the image snapshot size or 8 (whichever is greater). - format: int64 - minimum: 8 - type: integer - type: - description: Type is the type of the volume. - type: string - required: - - size - - type - type: object - securityGroups: - description: |- - SecurityGroups is an optional set of security groups to associate with node - instances. - items: - description: |- - AWSResourceReference is a reference to a specific AWS resource by ID or filters. - Only one of ID or Filters may be specified. Specifying more than one will result in - a validation error. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names - are case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - type: array - subnet: - description: Subnet is the subnet to use for node instances. - properties: - filters: - description: |- - Filters is a set of key/value pairs used to identify a resource - They are applied according to the rules defined by the AWS API: - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Filtering.html - items: - description: Filter is a filter used to identify an - AWS resource - properties: - name: - description: Name of the filter. Filter names are - case-sensitive. - type: string - values: - description: Values includes one or more filter - values. Filter values are case-sensitive. - items: - type: string - type: array - required: - - name - - values - type: object - type: array - id: - description: ID of resource - type: string - type: object - x-kubernetes-validations: - - message: subnet is invalid, a valid subnet id or filters - must be set, but not both - rule: 'has(self.id) && self.id.startsWith(''subnet-'') ? - !has(self.filters) : size(self.filters) > 0' - required: - - instanceType - - subnet - type: object - azure: - description: AzureNodePoolPlatform is the platform specific configuration - for an Azure node pool. - properties: - availabilityZone: - description: |- - availabilityZone is the failure domain identifier where the VM should be attached to. This must not be specified - for clusters in a location that does not support AvailabilityZone because it would cause a failure from Azure API. - type: string - diagnostics: - description: |- - diagnostics specifies the diagnostics settings for a virtual machine. - If not specified, then Boot diagnostics will be disabled. - properties: - storageAccountType: - allOf: - - enum: - - Managed - - UserManaged - - Disabled - - enum: - - Managed - - UserManaged - - Disabled - default: Disabled - description: |- - storageAccountType determines if the storage account for storing the diagnostics data - should be disabled (Disabled), provisioned by Azure (Managed) or by the user (UserManaged). - type: string - userManaged: - description: userManaged specifies the diagnostics settings - for a virtual machine when the storage account is managed - by the user. - properties: - storageAccountURI: - description: |- - storageAccountURI is the URI of the user-managed storage account. - The URI typically will be `https://.blob.core.windows.net/` - but may differ if you are using Azure DNS zone endpoints. - You can find the correct endpoint by looking for the Blob Primary Endpoint in the - endpoints tab in the Azure console or with the CLI by issuing - `az storage account list --query='[].{name: name, "resource group": resourceGroup, "blob endpoint": primaryEndpoints.blob}'`. - maxLength: 1024 - type: string - x-kubernetes-validations: - - message: storageAccountURI must be a valid HTTPS - URL - rule: isURL(self) && url(self).getScheme() == 'https' - required: - - storageAccountURI - type: object - type: object - x-kubernetes-validations: - - message: userManaged is required when storageAccountType - is UserManaged, and forbidden otherwise - rule: 'self.storageAccountType == ''UserManaged'' ? has(self.userManaged) - : !has(self.userManaged)' - encryptionAtHost: - default: Enabled - description: |- - encryptionAtHost enables encryption at host on virtual machines. According to Microsoft documentation, this - means data stored on the VM host is encrypted at rest and flows encrypted to the Storage service. See - https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal?tabs=azure-powershell - for more information. - enum: - - Enabled - - Disabled - type: string - image: - description: |- - image is used to configure the VM boot image. If unset, the default image at the location below will be used and - is expected to exist: subscription//resourceGroups//providers/Microsoft.Compute/images/rhcos.x86_64.vhd. - The and the are expected to be the same resource group documented in the - Hosted Cluster specification respectively, HostedCluster.Spec.Platform.Azure.SubscriptionID and - HostedCluster.Spec.Platform.Azure.ResourceGroupName. - properties: - azureMarketplace: - description: azureMarketplace contains the Azure Marketplace - image info to use to boot the Azure VMs from. - properties: - offer: - description: offer specifies the name of a group of - related images created by the publisher. - minLength: 1 - type: string - publisher: - description: |- - publisher is the name of the organization that created the image. - It must be between 3 and 50 characters in length, and consist of only lowercase letters, numbers, and hyphens (-) and underscores (_). - It must start with a lowercase letter or a number. - maxLength: 50 - minLength: 3 - pattern: ^[a-z0-9][a-z0-9-_]{2,49}$ - type: string - sku: - description: |- - sku specifies an instance of an offer, such as a major release of a distribution. - For example, 22_04-lts-gen2, 8-lvm-gen2. - The value must consist only of lowercase letters, numbers, and hyphens (-) and underscores (_). - minLength: 1 - pattern: ^[a-z0-9-_]+$ - type: string - version: - description: |- - version specifies the version of an image sku. The allowed formats are Major.Minor.Build or 'latest'. Major, - Minor, and Build are decimal numbers, e.g. '1.2.0'. Specify 'latest' to use the latest version of an image available at - deployment time. Even if you use 'latest', the VM image will not automatically update after deploy time even if a - new version becomes available. - maxLength: 32 - minLength: 1 - pattern: ^[0-9]+\.[0-9]+\.[0-9]+$|^latest$ - type: string - required: - - offer - - publisher - - sku - - version - type: object - imageID: - description: imageID is the Azure resource ID of a VHD - image to use to boot the Azure VMs from. - type: string - type: - description: |- - type is the type of image data that will be provided to the Azure VM. - Valid values are "ImageID" and "AzureMarketplace". - ImageID means is used for legacy managed VM images. This is where the user uploads a VM image directly to their resource group. - AzureMarketplace means the VM will boot from an Azure Marketplace image. - Marketplace images are preconfigured and published by the OS vendors and may include preconfigured software for the VM. - enum: - - ImageID - - AzureMarketplace - type: string - required: - - type - type: object - x-kubernetes-validations: - - message: imageID is required when type is ImageID, and forbidden - otherwise - rule: 'has(self.type) && self.type == ''ImageID'' ? has(self.imageID) - : !has(self.imageID)' - - message: azureMarketplace is required when type is RequiredMember, - and forbidden otherwise - rule: 'has(self.type) && self.type == ''AzureMarketplace'' - ? has(self.azureMarketplace) : !has(self.azureMarketplace)' - machineIdentityID: - description: | - machineIdentityID is a user-assigned identity assigned to the VMs used to authenticate with Azure services. The - identify is expected to exist under the same resource group as HostedCluster.Spec.Platform.Azure.ResourceGroupName. This - user assigned identity is expected to have the Contributor role assigned to it and scoped to the resource group - under HostedCluster.Spec.Platform.Azure.ResourceGroupName. - - If this field is not supplied, the Service Principal credentials will be written to a file on the disk of each VM - in order to be accessible by the cloud provider; the aforementioned credentials provided are the same ones as - HostedCluster.Spec.Platform.Azure.Credentials. However, this is less secure than using a managed identity. - type: string - osDisk: - description: |- - osDisk provides configuration for the OS disk for the nodepool. - This can be used to configure the size, storage account type, encryption options and whether the disk is persistent or ephemeral. - When not provided, the platform will choose reasonable defaults which are subject to change over time. - Review the fields within the osDisk for more details. - properties: - diskStorageAccountType: - description: |- - storageAccountType is the disk storage account type to use. - Valid values are Standard, StandardSSD, PremiumSSD and UltraSSD and omitted. - Note that Standard means a HDD. - The disk performance is tied to the disk type, please refer to the Azure documentation for further details - https://docs.microsoft.com/en-us/azure/virtual-machines/disks-types#disk-type-comparison. - When omitted this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is PremiumSSD. - enum: - - Standard - - StandardSSD - - PremiumSSD - - UltraSSD - type: string - encryptionSetID: - description: |- - encryptionSetID is the ID of the DiskEncryptionSet resource to use to encrypt the OS disks for the VMs. - Configuring a DiskEncyptionSet allows greater control over the encryption of the VM OS disk at rest. - Can be used with either platform (Azure) managed, or customer managed encryption keys. - This needs to exist in the same subscription id listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.SubscriptionID. - DiskEncryptionSetID should also exist in a resource group under the same subscription id and the same location - listed in the Hosted Cluster, HostedCluster.Spec.Platform.Azure.Location. - The encryptionSetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The resourceName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores. - maxLength: 285 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Copmute/diskEncryptionSets/{resourceName}` - rule: size(self.split('/')) == 9 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Compute/diskEncryptionSets/.*$') - - message: The resourceGroupName should be between 1 and - 90 characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the encryptionSetID - must not end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The resourceName should be between 1 and 80 - characters, consisting only of alphanumeric characters, - hyphens and underscores - rule: self.split('/')[8].matches('[a-zA-Z0-9-_]{1,80}') - persistence: - description: |- - persistence determines whether the OS disk should be persisted beyond the life of the VM. - Valid values are Persistent and Ephemeral. - When set to Ephmeral, the OS disk will not be persisted to Azure storage and implies restrictions to the VM size and caching type. - Full details can be found in the Azure documentation https://learn.microsoft.com/en-us/azure/virtual-machines/ephemeral-os-disks. - Ephmeral disks are primarily used for stateless applications, provide lower latency than Persistent disks and also incur no storage costs. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - enum: - - Persistent - - Ephemeral - type: string - sizeGiB: - description: |- - SizeGiB is the size in GiB (1024^3 bytes) to assign to the OS disk. - This should be between 16 and 65,536 when using the UltraSSD storage account type and between 16 and 32,767 when using any other storage account type. - When not set, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. - The current default is 30. - format: int32 - maximum: 65536 - minimum: 16 - type: integer - type: object - x-kubernetes-validations: - - message: When not using storageAccountType UltraSSD, the - SizeGB value must be less than or equal to 32,767 - rule: '!has(self.diskStorageAccountType) || self.diskStorageAccountType - != ''UltraSSD'' || self.sizeGiB <= 32767' - subnetID: - description: |- - subnetID is the subnet ID of an existing subnet where the nodes in the nodepool will be created. This can be a - different subnet than the one listed in the HostedCluster, HostedCluster.Spec.Platform.Azure.SubnetID, but must - exist in the same network, HostedCluster.Spec.Platform.Azure.VnetID, and must exist under the same subscription ID, - HostedCluster.Spec.Platform.Azure.SubscriptionID. - subnetID is immutable once set. - The subnetID should be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}`. - The subscriptionId in the encryptionSetID must be a valid UUID. It should be 5 groups of hyphen separated hexadecimal characters in the form 8-4-4-4-12. - The resourceGroupName should be between 1 and 90 characters, consisting only of alphanumeric characters, hyphens, underscores, periods and paranthesis and must not end with a period (.) character. - The vnetName should be between 2 and 64 characters, consisting only of alphanumeric characters, hyphens, underscores and periods and must not end with either a period (.) or hyphen (-) character. - The subnetName should be between 1 and 80 characters, consisting only of alphanumeric characters, hyphens and underscores and must start with an alphanumeric character and must not end with a period (.) or hyphen (-) character. - maxLength: 355 - minLength: 1 - type: string - x-kubernetes-validations: - - message: encryptionSetID must be in the format `/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}/subnets/{subnetName}` - rule: size(self.split('/')) == 11 && self.matches('^/subscriptions/.*/resourceGroups/.*/providers/Microsoft.Network/virtualNetworks/.*/subnets/.*$') - - message: The resourceGroupName should be between 1 and 90 - characters, consisting only of alphanumeric characters, - hyphens, underscores, periods and paranthesis - rule: self.split('/')[4].matches('[a-zA-Z0-9-_\\(\\)\\.]{1,90}') - - message: the resourceGroupName in the subnetID must not - end with a period (.) character - rule: '!self.split(''/'')[4].endsWith(''.'')' - - message: The vnetName should be between 2 and 64 characters, - consisting only of alphanumeric characters, hyphens, underscores - and periods - rule: self.split('/')[8].matches('[a-zA-Z0-9-_\\.]{2,64}') - - message: the vnetName in the subnetID must not end with - either a period (.) or hyphen (-) character - rule: '!self.split(''/'')[8].endsWith(''.'') && !self.split(''/'')[8].endsWith(''-'')' - - message: The subnetName should be between 1 and 80 characters, - consisting only of alphanumeric characters, hyphens and - underscores and must start with an alphanumeric character - rule: self.split('/')[10].matches('[a-zA-Z0-9][a-zA-Z0-9-_\\.]{0,79}') - - message: the subnetName in the subnetID must not end with - a period (.) or hyphen (-) character - rule: '!self.split(''/'')[10].endsWith(''.'') && !self.split(''/'')[10].endsWith(''-'')' - - message: SubnetID is immutable - rule: self == oldSelf - vmSize: - description: |- - vmSize is the Azure VM instance type to use for the nodes being created in the nodepool. - The size naming convention is documented here https://learn.microsoft.com/en-us/azure/virtual-machines/vm-naming-conventions. - Size names should start with a Family name, which is represented by one of more capital letters, and then be followed by the CPU count. - This is followed by 0 or more additional features, represented by a, b, d, i, l, m, p, t, s, C, and NP, refer to the Azure documentation for an explanation of these features. - Optionally an accelerator such as a GPU can be added, prefixed by an underscore, for example A100, H100 or MI300X. - The size may also be versioned, in which case it should be suffixed with _v where the version is a number. - For example, "D32ads_v5" would be a suitable general purpose VM size, or "ND96_MI300X_v5" would represent a GPU accelerated VM. - pattern: ^(Standard_|Basic_)?[A-Z]+[0-9]+(-[0-9]+)?[abdilmptsCNP]*(_[A-Z]*[0-9]+[A-Z]*)?(_v[0-9]+)?$ - type: string - required: - - image - - osDisk - - subnetID - - vmSize - type: object - ibmcloud: - description: IBMCloud defines IBMCloud specific settings for components - properties: - providerType: - description: ProviderType is a specific supported infrastructure - provider within IBM Cloud. - type: string - type: object - kubevirt: - description: Kubevirt specifies the configuration used when operating - on KubeVirt platform. - properties: - additionalNetworks: - description: AdditionalNetworks specify the extra networks - attached to the nodes - items: - description: |- - KubevirtNetwork specifies the configuration for a virtual machine - network interface - properties: - name: - description: |- - Name specify the network attached to the nodes - it is a value with the format "[namespace]/[name]" to reference the - multus network attachment definition - type: string - required: - - name - type: object - type: array - attachDefaultNetwork: - default: true - description: |- - AttachDefaultNetwork specify if the default pod network should be attached to the nodes - this can only be set to false if AdditionalNetworks are configured - type: boolean - compute: - default: - cores: 2 - memory: 8Gi - description: Compute contains values representing the virtual - hardware requested for the VM - properties: - cores: - default: 2 - description: Cores represents how many cores the guest - VM should have - format: int32 - type: integer - memory: - anyOf: - - type: integer - - type: string - default: 8Gi - description: Memory represents how much guest memory the - VM should have - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - qosClass: - default: Burstable - description: |- - QosClass If set to "Guaranteed", requests the scheduler to place the VirtualMachineInstance on a node with - limit memory and CPU, equal to be the requested values, to set the VMI as a Guaranteed QoS Class; - See here for more details: - https://kubevirt.io/user-guide/operations/node_overcommit/#requesting-the-right-qos-class-for-virtualmachineinstances - enum: - - Burstable - - Guaranteed - type: string - type: object - hostDevices: - description: |- - KubevirtHostDevices specifies the host devices (e.g. GPU devices) to be passed - from the management cluster, to the nodepool nodes - items: - properties: - count: - default: 1 - description: |- - Count is the number of instances the specified host device will be attached to each of the - NodePool's nodes. Default is 1. - minimum: 1 - type: integer - deviceName: - description: |- - DeviceName is the name of the host device that is desired to be utilized in the HostedCluster's NodePool - The device can be any supported PCI device, including GPU, either as a passthrough or a vGPU slice. - type: string - required: - - deviceName - type: object - type: array - networkInterfaceMultiqueue: - default: Enable - description: |- - NetworkInterfaceMultiQueue If set to "Enable", virtual network interfaces configured with a virtio bus will also - enable the vhost multiqueue feature for network devices. The number of queues created depends on additional - factors of the VirtualMachineInstance, like the number of guest CPUs. - enum: - - Enable - - Disable - type: string - nodeSelector: - additionalProperties: - type: string - description: |- - NodeSelector is a selector which must be true for the kubevirt VirtualMachine to fit on a node. - Selector which must match a node's labels for the VM to be scheduled on that node. More info: - https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ - type: object - rootVolume: - default: - persistent: - size: 32Gi - type: Persistent - description: RootVolume represents values associated with - the VM volume that will host rhcos - properties: - cacheStrategy: - description: CacheStrategy defines the boot image caching - strategy. Default - no caching - properties: - type: - default: None - description: Type is the type of the caching strategy - enum: - - None - - PVC - type: string - required: - - type - type: object - diskImage: - description: Image represents what rhcos image to use - for the node pool - properties: - containerDiskImage: - description: ContainerDiskImage is a string representing - the container image that holds the root disk - type: string - type: object - persistent: - description: |- - Persistent volume type means the VM's storage is backed by a PVC - VMs that use persistent volumes can survive disruption events like restart and eviction - This is the default type used when no storage type is defined. - properties: - accessModes: - description: |- - AccessModes is an array that contains the desired Access Modes the root volume should have. - More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes - items: - enum: - - ReadWriteOnce - - ReadWriteMany - - ReadOnly - - ReadWriteOncePod - type: string - type: array - size: - anyOf: - - type: integer - - type: string - default: 32Gi - description: Size is the size of the persistent storage - volume - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - storageClass: - description: StorageClass is the storageClass used - for the underlying PVC that hosts the volume - type: string - volumeMode: - description: |- - VolumeMode defines what type of volume is required by the claim. - Value of Filesystem is implied when not included in claim spec. - enum: - - Filesystem - - Block - type: string - type: object - type: - default: Persistent - description: Type represents the type of storage to associate - with the kubevirt VMs. - enum: - - Persistent - type: string - type: object - required: - - rootVolume - type: object - openstack: - description: OpenStack specifies the configuration used when using - OpenStack platform. - properties: - availabilityZone: - description: |- - availabilityZone is the nova availability zone in which the provider will create the VM. - If not specified, the VM will be created in the default availability zone specified in the nova configuration. - Availability zone names must NOT contain : since it is used by admin users to specify hosts where instances - are launched in server creation. Also, it must not contain spaces otherwise it will lead to node that belongs - to this availability zone register failure, see kubernetes/cloud-provider-openstack#1379 for further information. - The maximum length of availability zone name is 63 as per labels limits. - maxLength: 63 - minLength: 1 - pattern: '^[^: ]*$' - type: string - flavor: - description: Flavor is the OpenStack flavor to use for the - node instances. - type: string - imageName: - description: |- - ImageName is the OpenStack Glance image name to use for node instances. If unspecified, the default - is chosen based on the NodePool release payload image. - type: string - required: - - flavor - type: object - powervs: - description: PowerVS specifies the configuration used when using - IBMCloud PowerVS platform. - properties: - image: - description: |- - Image used for deploying the nodes. If unspecified, the default - is chosen based on the NodePool release payload image. - properties: - id: - description: ID of resource - type: string - name: - description: Name of resource - type: string - type: object - imageDeletePolicy: - default: delete - description: |- - ImageDeletePolicy is policy for the image deletion. - - delete: delete the image from the infrastructure. - retain: delete the image from the openshift but retain in the infrastructure. - - The default is delete - enum: - - delete - - retain - type: string - memoryGiB: - default: 32 - description: |- - MemoryGiB is the size of a virtual machine's memory, in GiB. - maximum value for the MemoryGiB depends on the selected SystemType. - when SystemType is set to e880 maximum MemoryGiB value is 7463 GiB. - when SystemType is set to e980 maximum MemoryGiB value is 15307 GiB. - when SystemType is set to s922 maximum MemoryGiB value is 942 GiB. - The minimum memory is 32 GiB. - - When omitted, this means the user has no opinion and the platform is left to choose a reasonable - default. The current default is 32. - format: int32 - type: integer - processorType: - default: shared - description: |- - ProcessorType is the VM instance processor type. - It must be set to one of the following values: Dedicated, Capped or Shared. - - Dedicated: resources are allocated for a specific client, The hypervisor makes a 1:1 binding of a partition’s processor to a physical processor core. - Shared: Shared among other clients. - Capped: Shared, but resources do not expand beyond those that are requested, the amount of CPU time is Capped to the value specified for the entitlement. - - if the processorType is selected as Dedicated, then Processors value cannot be fractional. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is shared. - enum: - - dedicated - - shared - - capped - type: string - processors: - anyOf: - - type: integer - - type: string - default: "0.5" - description: |- - Processors is the number of virtual processors in a virtual machine. - when the processorType is selected as Dedicated the processors value cannot be fractional. - maximum value for the Processors depends on the selected SystemType. - when SystemType is set to e880 or e980 maximum Processors value is 143. - when SystemType is set to s922 maximum Processors value is 15. - minimum value for Processors depends on the selected ProcessorType. - when ProcessorType is set as Shared or Capped, The minimum processors is 0.5. - when ProcessorType is set as Dedicated, The minimum processors is 1. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The default is set based on the selected ProcessorType. - when ProcessorType selected as Dedicated, the default is set to 1. - when ProcessorType selected as Shared or Capped, the default is set to 0.5. - x-kubernetes-int-or-string: true - storageType: - default: tier1 - description: |- - StorageType for the image and nodes, this will be ignored if Image is specified. - The storage tiers in PowerVS are based on I/O operations per second (IOPS). - It means that the performance of your storage volumes is limited to the maximum number of IOPS based on volume size and storage tier. - Although, the exact numbers might change over time, the Tier 3 storage is currently set to 3 IOPS/GB, and the Tier 1 storage is currently set to 10 IOPS/GB. - - The default is tier1 - enum: - - tier1 - - tier3 - type: string - systemType: - default: s922 - description: |- - SystemType is the System type used to host the instance. - systemType determines the number of cores and memory that is available. - Few of the supported SystemTypes are s922,e880,e980. - e880 systemType available only in Dallas Datacenters. - e980 systemType available in Datacenters except Dallas and Washington. - When omitted, this means that the user has no opinion and the platform is left to choose a - reasonable default. The current default is s922 which is generally available. - type: string - type: object - type: - description: Type specifies the platform name. - enum: - - AWS - - Azure - - IBMCloud - - KubeVirt - - Agent - - PowerVS - - None - - OpenStack - type: string - x-kubernetes-validations: - - message: Type is immutable - rule: self == oldSelf - required: - - type - type: object - release: - description: |- - release specifies the OCP release used for the NodePool. This informs the - ignition configuration for machines which includes the kubelet version, as well as other platform specific - machine properties (e.g. an AMI on the AWS platform). - It's not supported to use a release in a NodePool which minor version skew against the Control Plane release is bigger than N-2. Although there's no enforcement that prevents this from happening. - Attempting to use a release with a bigger skew might result in unpredictable behaviour. - Attempting to use a release higher than the HosterCluster one will result in the NodePool being degraded and the ValidReleaseImage condition being false. - Attempting to use a release lower than the current NodePool y-stream will result in the NodePool being degraded and the ValidReleaseImage condition being false. - properties: - image: - description: |- - Image is the image pullspec of an OCP release payload image. - See https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags for a list of available images. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: Image must start with a word character (letters, digits, - or underscores) and contain no white spaces - rule: self.matches('^(\\w+\\S+)$') - required: - - image - type: object - replicas: - description: |- - replicas is the desired number of nodes the pool should maintain. If unset, the controller default value is 0. - replicas is mutually exclusive with autoscaling. If autoscaling is configured, replicas must be omitted and autoscaling will control the NodePool size internally. - format: int32 - type: integer - taints: - description: |- - taints if specified, propagates a list of taints to Nodes, only once on creation. - These taints are additive to the ones applied by other controllers - items: - description: |- - taint is as v1 Core but without TimeAdded. - https://github.com/kubernetes/kubernetes/blob/ed8cad1e80d096257921908a52ac69cf1f41a098/staging/src/k8s.io/api/core/v1/types.go#L3037-L3053 - Validation replicates the same validation as the upstream https://github.com/kubernetes/kubernetes/blob/9a2a7537f035969a68e432b4cc276dbce8ce1735/pkg/util/taints/taints.go#L273. - See also https://kubernetes.io/docs/concepts/overview/working-with-objects/names/. - properties: - effect: - description: |- - effect is the effect of the taint on pods - that do not tolerate the taint. - Valid effects are NoSchedule, PreferNoSchedule and NoExecute. - enum: - - NoSchedule - - PreferNoSchedule - - NoExecute - type: string - key: - description: key is the taint key to be applied to a node. - maxLength: 253 - minLength: 1 - type: string - x-kubernetes-validations: - - message: key must be a qualified name with an optional subdomain - prefix e.g. example.com/MyName - rule: self.matches('^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\\/)?[A-Za-z0-9]([-A-Za-z0-9_.]{0,61}[A-Za-z0-9])?$') - value: - description: value is the taint value corresponding to the taint - key. - maxLength: 253 - type: string - x-kubernetes-validations: - - message: Value must start and end with alphanumeric characters - and can only contain '-', '_', '.' in the middle - rule: self.matches('^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$') - required: - - effect - - key - type: object - maxItems: 50 - type: array - tuningConfig: - description: |- - tuningConfig is a list of references to ConfigMaps containing serialized - Tuned or PerformanceProfile resources to define the tuning configuration to be applied to - nodes in the NodePool. The Tuned API is defined here: - - https://github.com/openshift/cluster-node-tuning-operator/blob/2c76314fb3cc8f12aef4a0dcd67ddc3677d5b54f/pkg/apis/tuned/v1/tuned_types.go - - The PerformanceProfile API is defined here: - https://github.com/openshift/cluster-node-tuning-operator/tree/b41042d42d4ba5bb2e99960248cf1d6ae4935018/pkg/apis/performanceprofile/v2 - - Each ConfigMap must have a single key named "tuning" whose value is the - JSON or YAML of a serialized Tuned or PerformanceProfile. - items: - description: |- - LocalObjectReference contains enough information to let you locate the - referenced object inside the same namespace. - properties: - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - type: object - x-kubernetes-map-type: atomic - type: array - required: - - clusterName - - management - - platform - - release - type: object - x-kubernetes-validations: - - message: Arch is required once set - rule: '!has(oldSelf.arch) || has(self.arch)' - - message: Setting Arch to arm64 is only supported for AWS and Azure - rule: self.arch != 'arm64' || has(self.platform.aws) || has(self.platform.azure) - - message: Both replicas or autoScaling should not be set - rule: '!has(self.replicas) || !has(self.autoScaling)' - status: - description: Status is the latest observed status of the NodePool. - properties: - conditions: - description: |- - Conditions represents the latest available observations of the node pool's - current state. - items: - description: |- - We define our own condition type since metav1.Condition has validation - for Reason that might be broken by what we bubble up from CAPI. - NodePoolCondition defines an observation of NodePool resource operational state. - properties: - lastTransitionTime: - description: |- - Last time the condition transitioned from one status to another. - This should be when the underlying condition changed. If that is not known, then using the time when - the API field changed is acceptable. - format: date-time - type: string - message: - description: |- - A human readable message indicating details about the transition. - This field may be empty. - type: string - observedGeneration: - format: int64 - minimum: 0 - type: integer - reason: - description: |- - The reason for the condition's last transition in CamelCase. - The specific API may choose whether or not this field is considered a guaranteed API. - This field may not be empty. - type: string - severity: - description: |- - Severity provides an explicit classification of Reason code, so the users or machines can immediately - understand the current situation and act accordingly. - The Severity field MUST be set only when Status=False. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: |- - Type of condition in CamelCase or in foo.example.com/CamelCase. - Many .condition.type values are consistent across resources like Available, but because arbitrary conditions - can be useful (see .node.status.conditions), the ability to deconflict is important. - type: string - required: - - lastTransitionTime - - status - - type - type: object - type: array - platform: - description: Platform hols the specific statuses - properties: - kubeVirt: - description: KubeVirt contains the KubeVirt platform statuses - properties: - cacheName: - description: CacheName holds the name of the cache DataVolume, - if exists - type: string - credentials: - description: |- - Credentials shows the client credentials used when creating KubeVirt virtual machines. - This filed is only exists when the KubeVirt virtual machines are being placed - on a cluster separate from the one hosting the Hosted Control Plane components. - - The default behavior when Credentials is not defined is for the KubeVirt VMs to be placed on - the same cluster and namespace as the Hosted Control Plane. - properties: - infraKubeConfigSecret: - description: |- - InfraKubeConfigSecret is a reference to a secret that contains the kubeconfig for the external infra cluster - that will be used to host the KubeVirt virtual machines for this cluster. - properties: - key: - type: string - name: - type: string - required: - - key - - name - type: object - x-kubernetes-validations: - - message: infraKubeConfigSecret is immutable - rule: self == oldSelf - infraNamespace: - description: |- - InfraNamespace defines the namespace on the external infra cluster that is used to host the KubeVirt - virtual machines. This namespace must already exist before creating the HostedCluster and the kubeconfig - referenced in the InfraKubeConfigSecret must have access to manage the required resources within this - namespace. - type: string - x-kubernetes-validations: - - message: infraNamespace is immutable - rule: self == oldSelf - required: - - infraKubeConfigSecret - - infraNamespace - type: object - type: object - type: object - replicas: - description: Replicas is the latest observed number of nodes in the - pool. - format: int32 - type: integer - version: - description: |- - Version is the semantic version of the latest applied release specified by - the NodePool. - type: string - type: object - type: object - served: true - storage: true - subresources: - scale: - specReplicasPath: .spec.replicas - statusReplicasPath: .status.replicas - status: {} diff --git a/docs/content/reference/api.md b/docs/content/reference/api.md index 0142d639f0d..2330d6af7e1 100644 --- a/docs/content/reference/api.md +++ b/docs/content/reference/api.md @@ -3182,6 +3182,20 @@ ControlPlaneManagedIdentities authenticate with Azure’s API.

+ + +dataPlane
+ + +DataPlaneManagedIdentities + + + + +

dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with +Azure’s API.

+ + ###AzureVMImage { #hypershift.openshift.io/v1beta1.AzureVMImage } @@ -4392,6 +4406,82 @@ available internally to the cluster exist.

+###DataPlaneManagedIdentities { #hypershift.openshift.io/v1beta1.DataPlaneManagedIdentities } +

+(Appears on: +AzureResourceManagedIdentities) +

+

+

DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to +authenticate with Azure’s API.

+

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldDescription
+imageRegistryMSIClientID
+ +string + +		 +

imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image +registry controller.

+
+diskMSIClientID
+ +string + +		 +

diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver.

+
+fileMSIClientID
+ +string + +		 +

fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver.

+
+ingressMSIClientID
+ +string + +		 +

IngressMSIClientID is the client ID of a pre-existing managed identity ID associated with the ingress controller.

+
+cloudNetworkConfigMSIClientID
+ +string + +		 +

cloudNetworkConfigMSIClientID is the client ID of a pre-existing managed identity ID associated with the cloud +network config controller.

+
###Diagnostics { #hypershift.openshift.io/v1beta1.Diagnostics }

(Appears on: diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go index f27fcd2e93c..3a014473cd1 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go @@ -460,7 +460,11 @@ type AzureResourceManagedIdentities struct { // +kubebuilder:validation:Required ControlPlane ControlPlaneManagedIdentities `json:"controlPlane"` - // Future placeholder - DataPlaneMIs * DataPlaneManagedIdentities + // dataPlane contains the client IDs of all the managed identities on the data plane needing to authenticate with + // Azure's API. + // + // +kubebuilder:validation:Required + DataPlane DataPlaneManagedIdentities `json:"dataPlane"` } // ManagedIdentity contains the client ID, and its certificate name, of a managed identity. This managed identity is @@ -535,6 +539,37 @@ type ControlPlaneManagedIdentities struct { File ManagedIdentity `json:"file"` } +// DataPlaneManagedIdentities contains the client IDs of all the managed identities on the data plane needing to +// authenticate with Azure's API. +type DataPlaneManagedIdentities struct { + // imageRegistryMSIClientID is the client ID of a pre-existing managed identity ID associated with the image + //registry controller. + // + // +kubebuilder:validation:Required + ImageRegistryMSIClientID string `json:"imageRegistryMSIClientID"` + + // diskMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI Disk driver. + // + // +kubebuilder:validation:Required + DiskMSIClientID string `json:"diskMSIClientID"` + + // fileMSIClientID is the client ID of a pre-existing managed identity ID associated with the CSI File driver. + // + // +kubebuilder:validation:Required + FileMSIClientID string `json:"fileMSIClientID"` + + // IngressMSIClientID is the client ID of a pre-existing managed identity ID associated with the ingress controller. + // + // +kubebuilder:validation:Required + IngressMSIClientID string `json:"ingressMSIClientID"` + + // cloudNetworkConfigMSIClientID is the client ID of a pre-existing managed identity ID associated with the cloud + // network config controller. + // + // +kubebuilder:validation:Required + CloudNetworkConfigMSIClientID string `json:"cloudNetworkConfigMSIClientID"` +} + // AzureKMSSpec defines metadata about the configuration of the Azure KMS Secret Encryption provider using Azure key vault type AzureKMSSpec struct { // ActiveKey defines the active key used to encrypt new secrets diff --git a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go index da73996c47c..6a13af6d526 100644 --- a/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go @@ -649,6 +649,7 @@ func (in *AzurePlatformSpec) DeepCopy() *AzurePlatformSpec { func (in *AzureResourceManagedIdentities) DeepCopyInto(out *AzureResourceManagedIdentities) { *out = *in out.ControlPlane = in.ControlPlane + out.DataPlane = in.DataPlane } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AzureResourceManagedIdentities. @@ -1124,6 +1125,21 @@ func (in *DNSSpec) DeepCopy() *DNSSpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *DataPlaneManagedIdentities) DeepCopyInto(out *DataPlaneManagedIdentities) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataPlaneManagedIdentities. +func (in *DataPlaneManagedIdentities) DeepCopy() *DataPlaneManagedIdentities { + if in == nil { + return nil + } + out := new(DataPlaneManagedIdentities) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Diagnostics) DeepCopyInto(out *Diagnostics) { *out = *in