From ddaaf487a705215efe51116d00321d16160afc89 Mon Sep 17 00:00:00 2001 From: Jose Valdes Date: Tue, 9 Jun 2026 11:53:49 -0400 Subject: [PATCH 1/6] [submodule][ovn-kubernetes] Update to e9295c0d0 Update to https://github.com/openshift/ovn-kubernetes/commit/e9295c0d0d7caa1eda7cc9f2f3900c64096c943c This commit was generated using hack/update_submodules.sh --- ovn-kubernetes | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ovn-kubernetes b/ovn-kubernetes index 3ce6353a1e..e9295c0d0d 160000 --- a/ovn-kubernetes +++ b/ovn-kubernetes @@ -1 +1 @@ -Subproject commit 3ce6353a1ed2962dc8aabe96dcef0e5bd7a40555 +Subproject commit e9295c0d0d7caa1eda7cc9f2f3900c64096c943c From 39efec5c0e4407b684b2066e0c7959766d9d07ac Mon Sep 17 00:00:00 2001 From: Jose Valdes Date: Tue, 9 Jun 2026 11:53:50 -0400 Subject: [PATCH 2/6] [submodule][containernetworking-plugins] Update to d6f73950 Update to https://github.com/openshift/containernetworking-plugins/commit/d6f73950658d258e0ddbf2a4ac92e13ac840158b This commit was generated using hack/update_submodules.sh --- containernetworking-plugins | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/containernetworking-plugins b/containernetworking-plugins index 747ad66caa..d6f7395065 160000 --- a/containernetworking-plugins +++ b/containernetworking-plugins @@ -1 +1 @@ -Subproject commit 747ad66caa1109b2b490aebad01af42bd2d738f1 +Subproject commit d6f73950658d258e0ddbf2a4ac92e13ac840158b From 4fe37b1a48684c1e12243979dfd1dc9a8eaa64d7 Mon Sep 17 00:00:00 2001 From: Jose Valdes Date: Tue, 9 Jun 2026 11:53:54 -0400 Subject: [PATCH 3/6] [submodule][kubelet] Update to d8d517e6bbe Update to https://github.com/openshift/kubernetes/commit/d8d517e6bbe7cf7359026cac26bb96ea45e18806 This commit was generated using hack/update_submodules.sh --- kubelet | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubelet b/kubelet index 99b75aa92a..d8d517e6bb 160000 --- a/kubelet +++ b/kubelet @@ -1 +1 @@ -Subproject commit 99b75aa92a7f60c4446ee29f54d511f140a8aed0 +Subproject commit d8d517e6bbe7cf7359026cac26bb96ea45e18806 From bb3543dd6561cdfd3f296f3371c234a6433d1591 Mon Sep 17 00:00:00 2001 From: Jose Valdes Date: Tue, 9 Jun 2026 11:53:55 -0400 Subject: [PATCH 4/6] [build] Update kubelet version to v1.35.3+d8d517e This commit was generated using hack/update_submodules.sh --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 955b1ebf31..2b8e546d73 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ WMCO_VERSION ?= 11.0.0 # *_GIT_VERSION are the k8s versions. Any update to the build line could potentially require an update to the sed # command in generate_k8s_version_commit() in hack/update_submodules.sh -KUBELET_GIT_VERSION=v1.35.3+99b75aa +KUBELET_GIT_VERSION=v1.35.3+d8d517e CONTAINERD_GIT_VERSION=v1.7.27 # CHANNELS define the bundle channels used in the bundle. # Add a new line here if you would like to change its default config. (E.g CHANNELS = "preview,fast,stable") From b93f10e0c75cd47842de21fd0c26400eeb1d4415 Mon Sep 17 00:00:00 2001 From: Jose Valdes Date: Tue, 9 Jun 2026 11:54:47 -0400 Subject: [PATCH 5/6] [vendor] Use v1.35.3+d8d517e k8s and OpenShift libraries This commit was generated using hack/update_submodules.sh --- go.mod | 14 +- go.sum | 32 +- .../go-openapi/jsonpointer/.cliff.toml | 181 --------- .../go-openapi/jsonpointer/.gitignore | 1 - .../go-openapi/jsonpointer/CONTRIBUTORS.md | 7 +- .../github.com/go-openapi/jsonpointer/NOTICE | 2 +- .../go-openapi/jsonpointer/README.md | 54 +-- .../go-openapi/jsonpointer/errors.go | 26 +- .../go-openapi/jsonpointer/ifaces.go | 47 +++ .../go-openapi/jsonpointer/options.go | 86 +++++ .../go-openapi/jsonpointer/pointer.go | 348 ++++++++++++++---- .../go-openapi/jsonreference/.gitignore | 1 - .../go-openapi/jsonreference/CONTRIBUTORS.md | 22 +- .../go-openapi/jsonreference/README.md | 22 +- .../swag/jsonname/go_name_provider.go | 286 ++++++++++++++ .../go-openapi/swag/jsonname/ifaces.go | 14 + .../go-openapi/swag/jsonname/name_provider.go | 2 + .../api/config/v1/types_tlssecurityprofile.go | 122 +++++- .../api/config/v1/zz_generated.deepcopy.go | 5 + ..._generated.featuregated-crd-manifests.yaml | 1 + .../v1/zz_generated.swagger_doc_generated.go | 11 +- .../v1alpha1/types_cluster_monitoring.go | 190 +++++++++- .../config/v1alpha1/zz_generated.deepcopy.go | 73 ++++ .../zz_generated.swagger_doc_generated.go | 41 ++- .../api/machineconfiguration/v1/register.go | 2 + .../api/machineconfiguration/v1/types.go | 7 + .../v1/types_osimagestream.go | 162 ++++++++ .../v1/zz_generated.deepcopy.go | 114 ++++++ ..._generated.featuregated-crd-manifests.yaml | 27 +- .../v1/zz_generated.swagger_doc_generated.go | 49 +++ .../openshift/api/operator/v1/types_etcd.go | 4 +- ..._generated.featuregated-crd-manifests.yaml | 1 + .../v1/zz_generated.swagger_doc_generated.go | 2 +- .../config/v1/clientcredentialconfig.go | 98 +++++ .../config/v1/clientsecretsecretreference.go | 32 ++ .../config/v1/customtlsprofile.go | 10 + .../config/v1/externalclaimssource.go | 97 +++++ .../config/v1/externalsourceauthentication.go | 57 +++ ...ecertificateauthorityconfigmapreference.go | 34 ++ .../config/v1/externalsourcepredicate.go | 43 +++ .../config/v1/externalsourcetls.go | 30 ++ .../config/v1/networkobservabilityspec.go | 33 ++ .../config/v1/networkspec.go | 12 + .../config/v1/oidcprovider.go | 34 ++ .../config/v1/sourcedclaimmapping.go | 51 +++ .../config/v1/sourceurl.go | 67 ++++ .../config/v1/tlsprofilespec.go | 28 ++ .../config/v1/tlssecurityprofile.go | 36 +- .../config/v1/vaultapproleauthentication.go | 2 +- .../config/v1/vaultkmspluginconfig.go | 12 +- .../config/v1/vaulttlsconfig.go | 2 +- .../v1alpha1/alertmanagercustomconfig.go | 25 +- .../config/v1alpha1/nodeexporterconfig.go | 43 --- .../config/v1alpha1/thanosquerierconfig.go | 50 +++ .../thanosquerierrequestloggingconfig.go | 34 ++ .../applyconfigurations/internal/internal.go | 164 ++++++++- .../config/applyconfigurations/utils.go | 22 ++ vendor/modules.txt | 20 +- 58 files changed, 2545 insertions(+), 447 deletions(-) delete mode 100644 vendor/github.com/go-openapi/jsonpointer/.cliff.toml create mode 100644 vendor/github.com/go-openapi/jsonpointer/ifaces.go create mode 100644 vendor/github.com/go-openapi/jsonpointer/options.go create mode 100644 vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go create mode 100644 vendor/github.com/go-openapi/swag/jsonname/ifaces.go create mode 100644 vendor/github.com/openshift/api/machineconfiguration/v1/types_osimagestream.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go create mode 100644 vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go diff --git a/go.mod b/go.mod index dc7bbf7726..f0bb78ff6a 100644 --- a/go.mod +++ b/go.mod @@ -8,9 +8,9 @@ require ( github.com/coreos/ignition/v2 v2.26.0 github.com/go-imports-organizer/goio v1.5.0 github.com/go-logr/logr v1.4.3 - github.com/openshift/api v0.0.0-20260528061300-9f553042f9ae - github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a - github.com/openshift/library-go v0.0.0-20260528084301-c7d432293c13 + github.com/openshift/api v0.0.0-20260609121705-d3390bd1109f + github.com/openshift/client-go v0.0.0-20260603140539-6892dc3e1ffc + github.com/openshift/library-go v0.0.0-20260609093731-5637f8b25b0d github.com/operator-framework/api v0.41.0 github.com/operator-framework/operator-lib v0.4.0 github.com/operator-framework/operator-lifecycle-manager v0.41.0 @@ -64,13 +64,13 @@ require ( github.com/go-errors/errors v1.4.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/zapr v1.3.0 // indirect - github.com/go-openapi/jsonpointer v0.22.5 // indirect - github.com/go-openapi/jsonreference v0.21.5 // indirect + github.com/go-openapi/jsonpointer v0.23.1 // indirect + github.com/go-openapi/jsonreference v0.21.6 // indirect github.com/go-openapi/swag v0.25.5 // indirect github.com/go-openapi/swag/cmdutils v0.25.5 // indirect github.com/go-openapi/swag/conv v0.25.5 // indirect github.com/go-openapi/swag/fileutils v0.25.5 // indirect - github.com/go-openapi/swag/jsonname v0.25.5 // indirect + github.com/go-openapi/swag/jsonname v0.26.1 // indirect github.com/go-openapi/swag/jsonutils v0.25.5 // indirect github.com/go-openapi/swag/loading v0.25.5 // indirect github.com/go-openapi/swag/mangling v0.25.5 // indirect @@ -139,7 +139,7 @@ require ( k8s.io/apiserver v0.35.5 // indirect k8s.io/cli-runtime v0.35.5 // indirect k8s.io/controller-manager v0.35.5 // indirect - k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af // indirect + k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 // indirect sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/kustomize/api v0.20.1 // indirect diff --git a/go.sum b/go.sum index b11bdc494d..aa5f68f4ed 100644 --- a/go.sum +++ b/go.sum @@ -208,15 +208,15 @@ github.com/go-openapi/jsonpointer v0.17.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwds github.com/go-openapi/jsonpointer v0.18.0/go.mod h1:cOnomiV+CVVwFLk0A/MExoFMjwdsUdVpsRhURCKh+3M= github.com/go-openapi/jsonpointer v0.19.2/go.mod h1:3akKfEdA7DF1sugOqz1dVQHBcuDBPKZGEoHC/NkiQRg= github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg= -github.com/go-openapi/jsonpointer v0.22.5 h1:8on/0Yp4uTb9f4XvTrM2+1CPrV05QPZXu+rvu2o9jcA= -github.com/go-openapi/jsonpointer v0.22.5/go.mod h1:gyUR3sCvGSWchA2sUBJGluYMbe1zazrYWIkWPjjMUY0= +github.com/go-openapi/jsonpointer v0.23.1 h1:1HBACs7XIwR2RcmItfdSFlALhGbe6S92p0ry4d1GWg4= +github.com/go-openapi/jsonpointer v0.23.1/go.mod h1:iWRmZTrGn7XwYhtPt/fvdSFj1OfNBngqRT2UG3BxSqY= github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg= github.com/go-openapi/jsonreference v0.17.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.18.0/go.mod h1:g4xxGn04lDIRh0GJb5QlpE3HfopLOL6uZrK/VgnsK9I= github.com/go-openapi/jsonreference v0.19.2/go.mod h1:jMjeRr2HHw6nAVajTXJ4eiUwohSTlpa0o73RUL1owJc= github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL98+wF9xc8zWvFonSJ8= -github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE= -github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw= +github.com/go-openapi/jsonreference v0.21.6 h1:NZ5nGfnaM1n4I43Xjm1e5/M2GjOwQwndQz22uhxwD+Y= +github.com/go-openapi/jsonreference v0.21.6/go.mod h1:xzbgtQ3ZbWxvET3AxdzCJlJt6vkovbf+IfSPJjD0tUY= github.com/go-openapi/loads v0.17.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= github.com/go-openapi/loads v0.18.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= github.com/go-openapi/loads v0.19.0/go.mod h1:72tmFy5wsWx89uEVddd0RjRWPZm92WRLhf7AC+0+OOU= @@ -247,8 +247,8 @@ github.com/go-openapi/swag/conv v0.25.5 h1:wAXBYEXJjoKwE5+vc9YHhpQOFj2JYBMF2DUi+ github.com/go-openapi/swag/conv v0.25.5/go.mod h1:CuJ1eWvh1c4ORKx7unQnFGyvBbNlRKbnRyAvDvzWA4k= github.com/go-openapi/swag/fileutils v0.25.5 h1:B6JTdOcs2c0dBIs9HnkyTW+5gC+8NIhVBUwERkFhMWk= github.com/go-openapi/swag/fileutils v0.25.5/go.mod h1:V3cT9UdMQIaH4WiTrUc9EPtVA4txS0TOmRURmhGF4kc= -github.com/go-openapi/swag/jsonname v0.25.5 h1:8p150i44rv/Drip4vWI3kGi9+4W9TdI3US3uUYSFhSo= -github.com/go-openapi/swag/jsonname v0.25.5/go.mod h1:jNqqikyiAK56uS7n8sLkdaNY/uq6+D2m2LANat09pKU= +github.com/go-openapi/swag/jsonname v0.26.1 h1:VReupaV6WxlAsCn0e4DUfgV6bPmINnPpyJDLqSfNPcE= +github.com/go-openapi/swag/jsonname v0.26.1/go.mod h1:OvdW6BoWoj33pTfi7x9vFrgmT+fk7aw0BRwvCE0YOuc= github.com/go-openapi/swag/jsonutils v0.25.5 h1:XUZF8awQr75MXeC+/iaw5usY/iM7nXPDwdG3Jbl9vYo= github.com/go-openapi/swag/jsonutils v0.25.5/go.mod h1:48FXUaz8YsDAA9s5AnaUvAmry1UcLcNVWUjY42XkrN4= github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.5 h1:SX6sE4FrGb4sEnnxbFL/25yZBb5Hcg1inLeErd86Y1U= @@ -267,8 +267,8 @@ github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ= github.com/go-openapi/testify/enable/yaml/v2 v2.4.0 h1:7SgOMTvJkM8yWrQlU8Jm18VeDPuAvB/xWrdxFJkoFag= github.com/go-openapi/testify/enable/yaml/v2 v2.4.0/go.mod h1:14iV8jyyQlinc9StD7w1xVPW3CO3q1Gj04Jy//Kw4VM= -github.com/go-openapi/testify/v2 v2.4.0 h1:8nsPrHVCWkQ4p8h1EsRVymA2XABB4OT40gcvAu+voFM= -github.com/go-openapi/testify/v2 v2.4.0/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54= +github.com/go-openapi/testify/v2 v2.5.1 h1:TMdhCaw8fUNraVSf3Omoob1dO/AzBfhtFAPW0an6sBo= +github.com/go-openapi/testify/v2 v2.5.1/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw= github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+MYsct2VUrAJ4= github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= @@ -506,12 +506,12 @@ github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1y github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.39.1 h1:1IJLAad4zjPn2PsnhH70V4DKRFlrCzGBNrNaru+Vf28= github.com/onsi/gomega v1.39.1/go.mod h1:hL6yVALoTOxeWudERyfppUcZXjMwIMLnuSfruD2lcfg= -github.com/openshift/api v0.0.0-20260528061300-9f553042f9ae h1:qTKrQWkXujGSQy+seJkUEOLfBEiw0xy+yJG/YViBABU= -github.com/openshift/api v0.0.0-20260528061300-9f553042f9ae/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= -github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a h1:EKx2XhOKehd1C5ptY7IrLl4WV35E8kP0pRPnG5BUZXk= -github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a/go.mod h1:V933kvY/cb/Un7UCEOhXHUySNX327u7Epe8g9KNqg2Q= -github.com/openshift/library-go v0.0.0-20260528084301-c7d432293c13 h1:vcC6XGYLlb3LnGZbRfqcczaPDhqAVAXFiRsL8wW/8Ow= -github.com/openshift/library-go v0.0.0-20260528084301-c7d432293c13/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A= +github.com/openshift/api v0.0.0-20260609121705-d3390bd1109f h1:q7vMHwBYipDQO05yj1iU8E39oNkvJxkYPB8VnFMQw/w= +github.com/openshift/api v0.0.0-20260609121705-d3390bd1109f/go.mod h1:pyVjK0nZ4sRs4fuQVQ4rubsJdahI1PB94LnQ8sGdvxo= +github.com/openshift/client-go v0.0.0-20260603140539-6892dc3e1ffc h1:yCLc/pmoZ4YZbMWlAnvYZ2YWkLZoPCilO4Fk/oAu2/E= +github.com/openshift/client-go v0.0.0-20260603140539-6892dc3e1ffc/go.mod h1:eqfaEX/V7xHMZ8Mpf72J03RnnY/kEqoZVLpkpjy5p6s= +github.com/openshift/library-go v0.0.0-20260609093731-5637f8b25b0d h1:Sutr89AyI5q93pXQL6PtzfuVK4biRf4ZgCaEE6A2vzI= +github.com/openshift/library-go v0.0.0-20260609093731-5637f8b25b0d/go.mod h1:/HBhy6jm/igWI3Y1vYFwFG3ZCcXmnNsKUT6VBpPyM9A= github.com/operator-framework/api v0.5.2/go.mod h1:L7IvLd/ckxJEJg/t4oTTlnHKAJIP/p51AvEslW3wYdY= github.com/operator-framework/api v0.41.0 h1:B0nutndl95elbLXJGRlkFNTI8OuZIjSqvTEeORPhTKo= github.com/operator-framework/api v0.41.0/go.mod h1:Ouud+eqruzll9X3iv8wuAOTNAyyEncYXp4IVgbIlIdg= @@ -1072,8 +1072,8 @@ k8s.io/klog/v2 v2.140.0 h1:Tf+J3AH7xnUzZyVVXhTgGhEKnFqye14aadWv7bzXdzc= k8s.io/klog/v2 v2.140.0/go.mod h1:o+/RWfJ6PwpnFn7OyAG3QnO47BFsymfEfrz6XyYSSp0= k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E= k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM= -k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af h1:zLXA2Irn14q2/06WMkxViyr7YCPUO2lJ0QYE9Juy5vA= -k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY= +k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25 h1:mPMaPMpBij2V1Wv/fR+HW124vVGXXvOSS9ver/9yjWs= +k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25/go.mod h1:V/QaCUYDa+0QpcHhVVc5l99Uz56wEMEXBSj9oCDkNDY= k8s.io/kubectl v0.35.5 h1:768G/MoK8SlgMObXVukluHewKIf8RW7oJYa2MTDh3fk= k8s.io/kubectl v0.35.5/go.mod h1:rii0tmjY2HQVPSiurhP/XxlnMmrXbNzjPDTeUY8EOZU= k8s.io/kubelet v0.35.5 h1:asU07lJvTB9lK7XPEcQJdPrV96eu/zNGkJVSEWeZFFQ= diff --git a/vendor/github.com/go-openapi/jsonpointer/.cliff.toml b/vendor/github.com/go-openapi/jsonpointer/.cliff.toml deleted file mode 100644 index 702629f5dc..0000000000 --- a/vendor/github.com/go-openapi/jsonpointer/.cliff.toml +++ /dev/null @@ -1,181 +0,0 @@ -# git-cliff ~ configuration file -# https://git-cliff.org/docs/configuration - -[changelog] -header = """ -""" - -footer = """ - ------ - -**[{{ remote.github.repo }}]({{ self::remote_url() }}) license terms** - -[![License][license-badge]][license-url] - -[license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg -[license-url]: {{ self::remote_url() }}/?tab=Apache-2.0-1-ov-file#readme - -{%- macro remote_url() -%} - https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }} -{%- endmacro -%} -""" - -body = """ -{%- if version %} -## [{{ version | trim_start_matches(pat="v") }}]({{ self::remote_url() }}/tree/{{ version }}) - {{ timestamp | date(format="%Y-%m-%d") }} -{%- else %} -## [unreleased] -{%- endif %} -{%- if message %} - {%- raw %}\n{% endraw %} -{{ message }} - {%- raw %}\n{% endraw %} -{%- endif %} -{%- if version %} - {%- if previous.version %} - -**Full Changelog**: <{{ self::remote_url() }}/compare/{{ previous.version }}...{{ version }}> - {%- endif %} -{%- else %} - {%- raw %}\n{% endraw %} -{%- endif %} - -{%- if statistics %}{% if statistics.commit_count %} - {%- raw %}\n{% endraw %} -{{ statistics.commit_count }} commits in this release. - {%- raw %}\n{% endraw %} -{%- endif %}{% endif %} ------ - -{%- for group, commits in commits | group_by(attribute="group") %} - {%- raw %}\n{% endraw %} -### {{ group | upper_first }} - {%- raw %}\n{% endraw %} - {%- for commit in commits %} - {%- if commit.remote.pr_title %} - {%- set commit_message = commit.remote.pr_title %} - {%- else %} - {%- set commit_message = commit.message %} - {%- endif %} -* {{ commit_message | split(pat="\n") | first | trim }} - {%- if commit.remote.username %} -{%- raw %} {% endraw %}by [@{{ commit.remote.username }}](https://github.com/{{ commit.remote.username }}) - {%- endif %} - {%- if commit.remote.pr_number %} -{%- raw %} {% endraw %}in [#{{ commit.remote.pr_number }}]({{ self::remote_url() }}/pull/{{ commit.remote.pr_number }}) - {%- endif %} -{%- raw %} {% endraw %}[...]({{ self::remote_url() }}/commit/{{ commit.id }}) - {%- endfor %} -{%- endfor %} - -{%- if github %} -{%- raw %}\n{% endraw -%} - {%- set all_contributors = github.contributors | length %} - {%- if github.contributors | filter(attribute="username", value="dependabot[bot]") | length < all_contributors %} ------ - -### People who contributed to this release - {% endif %} - {%- for contributor in github.contributors | filter(attribute="username") | sort(attribute="username") %} - {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %} -* [@{{ contributor.username }}](https://github.com/{{ contributor.username }}) - {%- endif %} - {%- endfor %} - - {% if github.contributors | filter(attribute="is_first_time", value=true) | length != 0 %} ------ - {%- raw %}\n{% endraw %} - -### New Contributors - {%- endif %} - - {%- for contributor in github.contributors | filter(attribute="is_first_time", value=true) %} - {%- if contributor.username != "dependabot[bot]" and contributor.username != "github-actions[bot]" %} -* @{{ contributor.username }} made their first contribution - {%- if contributor.pr_number %} - in [#{{ contributor.pr_number }}]({{ self::remote_url() }}/pull/{{ contributor.pr_number }}) \ - {%- endif %} - {%- endif %} - {%- endfor %} -{%- endif %} - -{%- raw %}\n{% endraw %} - -{%- macro remote_url() -%} - https://github.com/{{ remote.github.owner }}/{{ remote.github.repo }} -{%- endmacro -%} -""" -# Remove leading and trailing whitespaces from the changelog's body. -trim = true -# Render body even when there are no releases to process. -render_always = true -# An array of regex based postprocessors to modify the changelog. -postprocessors = [ - # Replace the placeholder with a URL. - #{ pattern = '', replace = "https://github.com/orhun/git-cliff" }, -] -# output file path -# output = "test.md" - -[git] -# Parse commits according to the conventional commits specification. -# See https://www.conventionalcommits.org -conventional_commits = false -# Exclude commits that do not match the conventional commits specification. -filter_unconventional = false -# Require all commits to be conventional. -# Takes precedence over filter_unconventional. -require_conventional = false -# Split commits on newlines, treating each line as an individual commit. -split_commits = false -# An array of regex based parsers to modify commit messages prior to further processing. -commit_preprocessors = [ - # Replace issue numbers with link templates to be updated in `changelog.postprocessors`. - #{ pattern = '\((\w+\s)?#([0-9]+)\)', replace = "([#${2}](/issues/${2}))"}, - # Check spelling of the commit message using https://github.com/crate-ci/typos. - # If the spelling is incorrect, it will be fixed automatically. - #{ pattern = '.*', replace_command = 'typos --write-changes -' } -] -# Prevent commits that are breaking from being excluded by commit parsers. -protect_breaking_commits = false -# An array of regex based parsers for extracting data from the commit message. -# Assigns commits to groups. -# Optionally sets the commit's scope and can decide to exclude commits from further processing. -commit_parsers = [ - { message = "^[Cc]hore\\([Rr]elease\\): prepare for", skip = true }, - { message = "(^[Mm]erge)|([Mm]erge conflict)", skip = true }, - { field = "author.name", pattern = "dependabot*", group = "Updates" }, - { message = "([Ss]ecurity)|([Vv]uln)", group = "Security" }, - { body = "(.*[Ss]ecurity)|([Vv]uln)", group = "Security" }, - { message = "([Cc]hore\\(lint\\))|(style)|(lint)|(codeql)|(golangci)", group = "Code quality" }, - { message = "(^[Dd]oc)|((?i)readme)|(badge)|(typo)|(documentation)", group = "Documentation" }, - { message = "(^[Ff]eat)|(^[Ee]nhancement)", group = "Implemented enhancements" }, - { message = "(^ci)|(\\(ci\\))|(fixup\\s+ci)|(fix\\s+ci)|(license)|(example)", group = "Miscellaneous tasks" }, - { message = "^test", group = "Testing" }, - { message = "(^fix)|(panic)", group = "Fixed bugs" }, - { message = "(^refact)|(rework)", group = "Refactor" }, - { message = "(^[Pp]erf)|(performance)", group = "Performance" }, - { message = "(^[Cc]hore)", group = "Miscellaneous tasks" }, - { message = "^[Rr]evert", group = "Reverted changes" }, - { message = "(upgrade.*?go)|(go\\s+version)", group = "Updates" }, - { message = ".*", group = "Other" }, -] -# Exclude commits that are not matched by any commit parser. -filter_commits = false -# An array of link parsers for extracting external references, and turning them into URLs, using regex. -link_parsers = [] -# Include only the tags that belong to the current branch. -use_branch_tags = false -# Order releases topologically instead of chronologically. -topo_order = false -# Order releases topologically instead of chronologically. -topo_order_commits = true -# Order of commits in each group/release within the changelog. -# Allowed values: newest, oldest -sort_commits = "newest" -# Process submodules commits -recurse_submodules = false - -#[remote.github] -#owner = "go-openapi" diff --git a/vendor/github.com/go-openapi/jsonpointer/.gitignore b/vendor/github.com/go-openapi/jsonpointer/.gitignore index 885dc27ab0..d8f4186fe5 100644 --- a/vendor/github.com/go-openapi/jsonpointer/.gitignore +++ b/vendor/github.com/go-openapi/jsonpointer/.gitignore @@ -3,4 +3,3 @@ .idea .env .mcp.json -.claude/ diff --git a/vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md b/vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md index 2ebebedc15..9990f4a354 100644 --- a/vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md +++ b/vendor/github.com/go-openapi/jsonpointer/CONTRIBUTORS.md @@ -4,11 +4,11 @@ | Total Contributors | Total Contributions | | --- | --- | -| 12 | 101 | +| 13 | 111 | | Username | All Time Contribution Count | All Commits | | --- | --- | --- | -| @fredbi | 54 | | +| @fredbi | 63 | | | @casualjim | 33 | | | @magodo | 3 | | | @youyuanwu | 3 | | @@ -18,7 +18,8 @@ | @ianlancetaylor | 1 | | | @mfleader | 1 | | | @Neo2308 | 1 | | +| @alexandear | 1 | | | @olivierlemasle | 1 | | | @testwill | 1 | | - _this file was generated by the [Contributors GitHub Action](https://github.com/github/contributors)_ + _this file was generated by the [Contributors GitHub Action](https://github.com/github-community-projects/contributors)_ diff --git a/vendor/github.com/go-openapi/jsonpointer/NOTICE b/vendor/github.com/go-openapi/jsonpointer/NOTICE index f3b51939a9..201908d2f0 100644 --- a/vendor/github.com/go-openapi/jsonpointer/NOTICE +++ b/vendor/github.com/go-openapi/jsonpointer/NOTICE @@ -18,7 +18,7 @@ It ships with copies of other software which license terms are recalled below. The original software was authored on 25-02-2013 by sigu-399 (https://github.com/sigu-399, sigu.399@gmail.com). -github.com/sigh-399/jsonpointer +github.com/sigu-399/jsonpointer =========================== // SPDX-FileCopyrightText: Copyright 2013 sigu-399 ( https://github.com/sigu-399 ) diff --git a/vendor/github.com/go-openapi/jsonpointer/README.md b/vendor/github.com/go-openapi/jsonpointer/README.md index c52803e2e8..24fbe1bf68 100644 --- a/vendor/github.com/go-openapi/jsonpointer/README.md +++ b/vendor/github.com/go-openapi/jsonpointer/README.md @@ -16,17 +16,25 @@ An implementation of JSON Pointer for golang, which supports go `struct`. ## Announcements -* **2025-12-19** : new community chat on discord - * a new discord community channel is available to be notified of changes and support users - * our venerable Slack channel remains open, and will be eventually discontinued on **2026-03-31** - -You may join the discord community by clicking the invite link on the discord badge (also above). [![Discord Channel][discord-badge]][discord-url] - -Or join our Slack channel: [![Slack Channel][slack-logo]![slack-badge]][slack-url] +* **2026-04-15** : added support for trailing "-" for arrays (v0.23.0) + * this brings full support of [RFC6901][RFC6901] + * this is supported for types relying on the reflection-based implemented + * API semantics remain essentially unaltered. Exception: `Pointer.Set(document any,value any) (document any, err error)` + can only perform a best-effort to mutate the input document in place. In the case of adding elements to an array with a + trailing "-", either pass a mutable array (`*[]T`) as the input document, or use the returned updated document instead. + * types that implement the `JSONSetable` interface may not implement the mutation implied by the trailing "-" + +* **2026-04-15** : added support for optional alternate JSON name providers + * for struct support the defaults might not suit all situations: there are known limitations + when it comes to handle untagged fields or embedded types. + * the default name provider in use is not fully aligned with go JSON stdlib + * exposed an option (or global setting) to change the provider that resolves a struct into json keys + * the default behavior is not altered + * a new alternate name provider is added (imported from `go-openapi/swag/jsonname`), aligned with JSON stdlib behavior ## Status -API is stable. +API is stable and feature-complete. ## Import this library in your project @@ -88,7 +96,7 @@ See -also known as [RFC6901](https://www.rfc-editor.org/rfc/rfc6901) +also known as [RFC6901][RFC6901]. ## Licensing @@ -99,19 +107,19 @@ on top of which it has been built. ## Limitations -The 4.Evaluation part of the previous reference, starting with 'If the currently referenced value is a JSON array, -the reference token MUST contain either...' is not implemented. - -That is because our implementation of the JSON pointer only supports explicit references to array elements: -the provision in the spec to resolve non-existent members as "the last element in the array", -using the special trailing character "-" is not implemented. +* [RFC6901][RFC6901] is now fully supported, including trailing "-" semantics for arrays (for `Set` operations). +* Default behavior: JSON name detection in go `struct`s + - Unlike go standard marshaling, untagged fields do not default to the go field name and are ignored. + - anonymous fields are not traversed if untagged + - the above limitations may be overcome by calling `UseGoNameProvider()` at initialization time. + - alternatively, users may inject the desired custom behavior for naming fields as an option. ## Other documentation * [All-time contributors](./CONTRIBUTORS.md) -* [Contributing guidelines](.github/CONTRIBUTING.md) -* [Maintainers documentation](docs/MAINTAINERS.md) -* [Code style](docs/STYLE.md) +* [Contributing guidelines][contributing-doc-site] +* [Maintainers documentation][maintainers-doc-site] +* [Code style][style-doc-site] ## Cutting a new release @@ -142,11 +150,8 @@ Maintainers can cut a new release by either: [godoc-badge]: https://pkg.go.dev/badge/github.com/go-openapi/jsonpointer [godoc-url]: http://pkg.go.dev/github.com/go-openapi/jsonpointer -[slack-logo]: https://a.slack-edge.com/e6a93c1/img/icons/favicon-32.png -[slack-badge]: https://img.shields.io/badge/slack-blue?link=https%3A%2F%2Fgoswagger.slack.com%2Farchives%2FC04R30YM -[slack-url]: https://goswagger.slack.com/archives/C04R30YMU [discord-badge]: https://img.shields.io/discord/1446918742398341256?logo=discord&label=discord&color=blue -[discord-url]: https://discord.gg/twZ9BwT3 +[discord-url]: https://discord.gg/FfnFYaC3k5 [license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg @@ -156,3 +161,8 @@ Maintainers can cut a new release by either: [goversion-url]: https://github.com/go-openapi/jsonpointer/blob/master/go.mod [top-badge]: https://img.shields.io/github/languages/top/go-openapi/jsonpointer [commits-badge]: https://img.shields.io/github/commits-since/go-openapi/jsonpointer/latest +[RFC6901]: https://www.rfc-editor.org/rfc/rfc6901 + +[contributing-doc-site]: https://go-openapi.github.io/doc-site/contributing/contributing/index.html +[maintainers-doc-site]: https://go-openapi.github.io/doc-site/maintainers/index.html +[style-doc-site]: https://go-openapi.github.io/doc-site/contributing/style/index.html diff --git a/vendor/github.com/go-openapi/jsonpointer/errors.go b/vendor/github.com/go-openapi/jsonpointer/errors.go index 8c50dde8bc..8813474d44 100644 --- a/vendor/github.com/go-openapi/jsonpointer/errors.go +++ b/vendor/github.com/go-openapi/jsonpointer/errors.go @@ -16,12 +16,24 @@ const ( ErrPointer pointerError = "JSON pointer error" // ErrInvalidStart states that a JSON pointer must start with a separator ("/"). - ErrInvalidStart pointerError = `JSON pointer must be empty or start with a "` + pointerSeparator + ErrInvalidStart pointerError = `JSON pointer must be empty or start with a "` + pointerSeparator + `"` // ErrUnsupportedValueType indicates that a value of the wrong type is being set. ErrUnsupportedValueType pointerError = "only structs, pointers, maps and slices are supported for setting values" + + // ErrDashToken indicates use of the RFC 6901 "-" reference token + // in a context where it cannot be resolved. + // + // Per RFC 6901 §4 the "-" token refers to the (nonexistent) element + // after the last array element. It may only be used as the terminal + // token of a [Pointer.Set] against a slice, where it means "append". + // Any other use (get, offset, intermediate traversal, non-slice target) + // is an error condition that wraps this sentinel. + ErrDashToken pointerError = `the "-" array token cannot be resolved here` //nolint:gosec // G101 false positive: this is a JSON Pointer reference token, not a credential. ) +const dashToken = "-" + func errNoKey(key string) error { return fmt.Errorf("object has no key %q: %w", key, ErrPointer) } @@ -33,3 +45,15 @@ func errOutOfBounds(length, idx int) error { func errInvalidReference(token string) error { return fmt.Errorf("invalid token reference %q: %w", token, ErrPointer) } + +func errDashOnGet() error { + return fmt.Errorf("cannot resolve %q token on get: %w: %w", dashToken, ErrDashToken, ErrPointer) +} + +func errDashIntermediate() error { + return fmt.Errorf("the %q token may only appear as the terminal token of a pointer: %w: %w", dashToken, ErrDashToken, ErrPointer) +} + +func errDashOnOffset() error { + return fmt.Errorf("cannot compute offset for %q token (nonexistent element): %w: %w", dashToken, ErrDashToken, ErrPointer) +} diff --git a/vendor/github.com/go-openapi/jsonpointer/ifaces.go b/vendor/github.com/go-openapi/jsonpointer/ifaces.go new file mode 100644 index 0000000000..1e56ac0442 --- /dev/null +++ b/vendor/github.com/go-openapi/jsonpointer/ifaces.go @@ -0,0 +1,47 @@ +// SPDX-FileCopyrightText: Copyright (c) 2015-2025 go-swagger maintainers +// SPDX-License-Identifier: Apache-2.0 + +package jsonpointer + +import "reflect" + +// JSONPointable is an interface for structs to implement, +// when they need to customize the json pointer process or want to avoid the use of reflection. +type JSONPointable interface { + // JSONLookup returns a value pointed at this (unescaped) key. + JSONLookup(key string) (any, error) +} + +// JSONSetable is an interface for structs to implement, +// when they need to customize the json pointer process or want to avoid the use of reflection. +// +// # Handling of the RFC 6901 "-" token +// +// When a type implementing JSONSetable is the terminal parent of a [Pointer.Set] +// call, the library passes the raw reference token to JSONSet without +// interpretation. In particular, the RFC 6901 "-" token (which conventionally +// means "append" for arrays, per RFC 6902) is forwarded verbatim as the key +// argument. Implementations that model an array-like container are expected +// to give "-" the append semantics; implementations that do not should return +// an error wrapping [ErrDashToken] (or [ErrPointer]) for clarity. +// +// Implementations are responsible for any in-place mutation: the library does +// not attempt to rebind the result of JSONSet into a parent container. +type JSONSetable interface { + // JSONSet sets the value pointed at the (unescaped) key. + // + // The key may be the RFC 6901 "-" token when the pointer targets a + // slice-like member; see the interface documentation for details. + JSONSet(key string, value any) error +} + +// NameProvider knows how to resolve go struct fields into json names. +// +// The default provider is brought by [github.com/go-openapi/swag/jsonname.DefaultJSONNameProvider]. +type NameProvider interface { + // GetGoName gets the go name for a json property name + GetGoName(subject any, name string) (string, bool) + + // GetGoNameForType gets the go name for a given type for a json property name + GetGoNameForType(tpe reflect.Type, name string) (string, bool) +} diff --git a/vendor/github.com/go-openapi/jsonpointer/options.go b/vendor/github.com/go-openapi/jsonpointer/options.go new file mode 100644 index 0000000000..d52caab222 --- /dev/null +++ b/vendor/github.com/go-openapi/jsonpointer/options.go @@ -0,0 +1,86 @@ +// SPDX-FileCopyrightText: Copyright (c) 2015-2025 go-swagger maintainers +// SPDX-License-Identifier: Apache-2.0 + +package jsonpointer + +import ( + "sync" + + "github.com/go-openapi/swag/jsonname" +) + +// Option to tune the behavior of a JSON [Pointer]. +type Option func(*options) + +var ( + //nolint:gochecknoglobals // package level defaults are provided as a convenient, backward-compatible way to adopt options. + defaultOptions = options{ + provider: jsonname.DefaultJSONNameProvider, + } + //nolint:gochecknoglobals // guards defaultOptions against concurrent SetDefaultNameProvider / read races (testing) + defaultOptionsMu sync.RWMutex +) + +// SetDefaultNameProvider sets the [NameProvider] as a package-level default. +// +// By default, the default provider is [jsonname.DefaultJSONNameProvider]. +// +// It is safe to call concurrently with [Pointer.Get], [Pointer.Set], +// [GetForToken] and [SetForToken]. The typical usage is to call it once +// at initialization time. +// +// A nil provider is ignored. +func SetDefaultNameProvider(provider NameProvider) { + if provider == nil { + return + } + + defaultOptionsMu.Lock() + defer defaultOptionsMu.Unlock() + + defaultOptions.provider = provider +} + +// UseGoNameProvider sets the [NameProvider] as a package-level default +// to the alternative provider [jsonname.GoNameProvider], that covers a few areas +// not supported by the default name provider. +// +// This implementation supports untagged exported fields and embedded types in go struct. +// It follows strictly the behavior of the JSON standard library regarding field naming conventions. +// +// It is safe to call concurrently with [Pointer.Get], [Pointer.Set], +// [GetForToken] and [SetForToken]. The typical usage is to call it once +// at initialization time. +func UseGoNameProvider() { + SetDefaultNameProvider(jsonname.NewGoNameProvider()) +} + +// DefaultNameProvider returns the current package-level [NameProvider]. +func DefaultNameProvider() NameProvider { //nolint:ireturn // returning the interface is the point — callers pick their own implementation. + defaultOptionsMu.RLock() + defer defaultOptionsMu.RUnlock() + + return defaultOptions.provider +} + +// WithNameProvider injects a custom [NameProvider] to resolve json names from go struct types. +func WithNameProvider(provider NameProvider) Option { + return func(o *options) { + o.provider = provider + } +} + +type options struct { + provider NameProvider +} + +func optionsWithDefaults(opts []Option) options { + var o options + o.provider = DefaultNameProvider() + + for _, apply := range opts { + apply(&o) + } + + return o +} diff --git a/vendor/github.com/go-openapi/jsonpointer/pointer.go b/vendor/github.com/go-openapi/jsonpointer/pointer.go index 7df49af3b9..2369c1827e 100644 --- a/vendor/github.com/go-openapi/jsonpointer/pointer.go +++ b/vendor/github.com/go-openapi/jsonpointer/pointer.go @@ -11,8 +11,6 @@ import ( "reflect" "strconv" "strings" - - "github.com/go-openapi/swag/jsonname" ) const ( @@ -20,20 +18,6 @@ const ( pointerSeparator = `/` ) -// JSONPointable is an interface for structs to implement, -// when they need to customize the json pointer process or want to avoid the use of reflection. -type JSONPointable interface { - // JSONLookup returns a value pointed at this (unescaped) key. - JSONLookup(key string) (any, error) -} - -// JSONSetable is an interface for structs to implement, -// when they need to customize the json pointer process or want to avoid the use of reflection. -type JSONSetable interface { - // JSONSet sets the value pointed at the (unescaped) key. - JSONSet(key string, value any) error -} - // Pointer is a representation of a json pointer. // // Use [Pointer.Get] to retrieve a value or [Pointer.Set] to set a value. @@ -41,7 +25,7 @@ type JSONSetable interface { // It works with any go type interpreted as a JSON document, which means: // // - if a type implements [JSONPointable], its [JSONPointable.JSONLookup] method is used to resolve [Pointer.Get] -// - if a type implements [JSONSetable], its [JSONPointable.JSONSet] method is used to resolve [Pointer.Set] +// - if a type implements [JSONSetable], its [JSONSetable.JSONSet] method is used to resolve [Pointer.Set] // - a go map[K]V is interpreted as an object, with type K assignable to a string // - a go slice []T is interpreted as an array // - a go struct is interpreted as an object, with exported fields interpreted as keys @@ -71,16 +55,35 @@ func New(jsonPointerString string) (Pointer, error) { // Get uses the pointer to retrieve a value from a JSON document. // // It returns the value with its type as a [reflect.Kind] or an error. -func (p *Pointer) Get(document any) (any, reflect.Kind, error) { - return p.get(document, jsonname.DefaultJSONNameProvider) +func (p *Pointer) Get(document any, opts ...Option) (any, reflect.Kind, error) { + o := optionsWithDefaults(opts) + + return p.get(document, o.provider) } // Set uses the pointer to set a value from a data type // that represent a JSON document. // -// It returns the updated document. -func (p *Pointer) Set(document any, value any) (any, error) { - return document, p.set(document, value, jsonname.DefaultJSONNameProvider) +// # Mutation contract +// +// Set mutates the provided document in place whenever Go's type system allows +// it: when document is a map, a pointer, or when the targeted value is reached +// through an addressable ancestor (e.g. a struct field traversed via a pointer, +// a slice element). Callers that rely on this in-place behavior may continue +// to ignore the returned document. +// +// The returned document is only load-bearing when Set cannot mutate in place. +// This happens in one specific case: appending to a top-level slice passed by +// value (e.g. document of type []T rather than *[]T) via the RFC 6901 "-" +// terminal token. reflect.Append produces a new slice header that the library +// cannot rebind into the caller's variable; the updated document is returned +// instead. Pass *[]T if you want in-place rebind for that case as well. +// +// See [ErrDashToken] for the semantics of the "-" token. +func (p *Pointer) Set(document any, value any, opts ...Option) (any, error) { + o := optionsWithDefaults(opts) + + return p.set(document, value, o.provider) } // DecodedTokens returns the decoded (unescaped) tokens of this JSON pointer. @@ -109,6 +112,46 @@ func (p *Pointer) String() string { return pointerSeparator + strings.Join(p.referenceTokens, pointerSeparator) } +// Offset returns the byte offset, in the raw JSON text of document, of the +// location referenced by this pointer's terminal token. +// +// Unlike [Pointer.Get] and [Pointer.Set], which operate on a decoded Go value, +// Offset operates directly on the textual JSON source. It drives an +// [encoding/json.Decoder] over the string and stops at the terminal token, +// returning the position at which the decoder was about to read that token. +// +// It is primarily intended for tooling that needs to map a pointer back to a +// region of the original source: reporting line/column for validation or +// parse diagnostics, extracting a sub-document by slicing the raw bytes, or +// highlighting the referenced span in an editor. +// +// # Offset semantics +// +// The meaning of the returned offset depends on whether the terminal token +// addresses an object property or an array element: +// +// - Object property: the offset points to the first byte of the key (its +// opening quote character), not to the associated value. For example, +// pointer "/foo/bar" against {"foo": {"bar": 21}} returns 9, the index of +// the opening quote of "bar". +// - Array element: the offset points to the first byte of the value at that +// index. For example, pointer "/0/1" against [[1,2], [3,4]] returns 4, +// the index of the digit 2. +// +// # Errors +// +// Offset returns an error in any of these cases: +// +// - document is not syntactically valid JSON; +// - the structure of document does not match the pointer (e.g. traversing +// into a scalar, or a token that is neither a valid key nor a valid +// numeric index); +// - a referenced key or index does not exist in document; +// - the pointer's terminal token is the RFC 6901 "-" array token, which +// designates a nonexistent element and therefore has no offset in the +// source. The returned error wraps [ErrDashToken]. +// +// All errors wrap [ErrPointer]. func (p *Pointer) Offset(document string) (int64, error) { dec := json.NewDecoder(strings.NewReader(document)) var offset int64 @@ -137,7 +180,35 @@ func (p *Pointer) Offset(document string) (int64, error) { return 0, fmt.Errorf("invalid token %#v: %w", tk, ErrPointer) } } - return offset, nil + return skipJSONSeparator(document, offset), nil +} + +// skipJSONSeparator advances offset past trailing JSON whitespace and at most +// one value separator (comma) in document, so the result points at the first +// byte of the next JSON token. +// +// The streaming decoder's InputOffset sits right after the most recently +// consumed token, which between values is the comma (or whitespace) — not +// the following token. Normalizing here keeps Offset's contract uniform: +// for both object keys and array elements, and regardless of position within +// the parent container, the returned offset always points at the first byte +// of the addressed token. +func skipJSONSeparator(document string, offset int64) int64 { + n := int64(len(document)) + for offset < n && isJSONWhitespace(document[offset]) { + offset++ + } + if offset < n && document[offset] == ',' { + offset++ + } + for offset < n && isJSONWhitespace(document[offset]) { + offset++ + } + return offset +} + +func isJSONWhitespace(c byte) bool { + return c == ' ' || c == '\t' || c == '\n' || c == '\r' } // "Constructor", parses the given string JSON pointer. @@ -157,9 +228,9 @@ func (p *Pointer) parse(jsonPointerString string) error { return nil } -func (p *Pointer) get(node any, nameProvider *jsonname.NameProvider) (any, reflect.Kind, error) { +func (p *Pointer) get(node any, nameProvider NameProvider) (any, reflect.Kind, error) { if nameProvider == nil { - nameProvider = jsonname.DefaultJSONNameProvider + nameProvider = defaultOptions.provider } kind := reflect.Invalid @@ -185,50 +256,130 @@ func (p *Pointer) get(node any, nameProvider *jsonname.NameProvider) (any, refle return node, kind, nil } -func (p *Pointer) set(node, data any, nameProvider *jsonname.NameProvider) error { +func (p *Pointer) set(node, data any, nameProvider NameProvider) (any, error) { knd := reflect.ValueOf(node).Kind() if knd != reflect.Pointer && knd != reflect.Struct && knd != reflect.Map && knd != reflect.Slice && knd != reflect.Array { - return errors.Join( + return node, errors.Join( fmt.Errorf("unexpected type: %T", node), //nolint:err113 // err wrapping is carried out by errors.Join, not fmt.Errorf. ErrUnsupportedValueType, ErrPointer, ) } - l := len(p.referenceTokens) - // full document when empty - if l == 0 { - return nil + if len(p.referenceTokens) == 0 { + return node, nil } if nameProvider == nil { - nameProvider = jsonname.DefaultJSONNameProvider + nameProvider = defaultOptions.provider } - var decodedToken string - lastIndex := l - 1 + return p.setAt(node, p.referenceTokens, data, nameProvider) +} - if lastIndex > 0 { // skip if we only have one token in pointer - for _, token := range p.referenceTokens[:lastIndex] { - decodedToken = Unescape(token) - next, err := p.resolveNodeForToken(node, decodedToken, nameProvider) - if err != nil { - return err - } +// setAt recursively walks the token list, setting the data at the terminal +// token and rebinding any new child reference (e.g. a slice header returned +// by an "-" append) into its parent on the way back up. +// +// Returning the (possibly new) node at each level is what makes append work +// at any depth without requiring the caller to pass a pointer to the +// containing slice: the new slice header propagates up and each parent +// rebinds it via the appropriate kind-specific setter. +func (p *Pointer) setAt(node any, tokens []string, data any, nameProvider NameProvider) (any, error) { + decodedToken := Unescape(tokens[0]) + + if len(tokens) == 1 { + return setSingleImpl(node, data, decodedToken, nameProvider) + } - node = next - } + child, err := p.resolveNodeForToken(node, decodedToken, nameProvider) + if err != nil { + return node, err + } + + newChild, err := p.setAt(child, tokens[1:], data, nameProvider) + if err != nil { + return node, err } - // last token - decodedToken = Unescape(p.referenceTokens[lastIndex]) + return rebindChild(node, decodedToken, newChild, nameProvider) +} + +// rebindChild writes newChild back into node at decodedToken. +// +// For cases where the child was already mutated in place (pointer aliasing, +// addressable slice elements) the rebind is a safe no-op. For cases where +// the child was returned by value (map entries holding a slice, slices +// reached through a non-addressable ancestor), the rebind propagates the +// new value into the parent. +// +// Parents implementing [JSONPointable] are left alone: they took ownership +// of the child via JSONLookup and did not opt into a JSONSet-based rebind +// on intermediate tokens. +func rebindChild(node any, decodedToken string, newChild any, nameProvider NameProvider) (any, error) { + if _, ok := node.(JSONPointable); ok { + return node, nil + } + + rValue := reflect.Indirect(reflect.ValueOf(node)) + + switch rValue.Kind() { + case reflect.Struct: + nm, ok := nameProvider.GetGoNameForType(rValue.Type(), decodedToken) + if !ok { + return node, fmt.Errorf("object has no field %q: %w", decodedToken, ErrPointer) + } + fld := rValue.FieldByName(nm) + if !fld.CanSet() { + return node, nil + } + assignReflectValue(fld, newChild) + return node, nil + + case reflect.Map: + rValue.SetMapIndex(reflect.ValueOf(decodedToken), reflect.ValueOf(newChild)) + return node, nil + + case reflect.Slice: + if decodedToken == dashToken { + return node, errDashIntermediate() + } + idx, err := strconv.Atoi(decodedToken) + if err != nil { + return node, errors.Join(err, ErrPointer) + } + elem := rValue.Index(idx) + if !elem.CanSet() { + return node, nil + } + assignReflectValue(elem, newChild) + return node, nil + + default: + return node, errInvalidReference(decodedToken) + } +} - return setSingleImpl(node, data, decodedToken, nameProvider) +// assignReflectValue assigns src into dst, unwrapping a pointer when dst +// expects the pointee type. This tolerates the pointer-wrapping performed +// by [typeFromValue] for addressable fields. +func assignReflectValue(dst reflect.Value, src any) { + nv := reflect.ValueOf(src) + if !nv.IsValid() { + return + } + if nv.Type().AssignableTo(dst.Type()) { + dst.Set(nv) + return + } + if nv.Kind() == reflect.Pointer && nv.Elem().Type().AssignableTo(dst.Type()) { + dst.Set(nv.Elem()) + } } -func (p *Pointer) resolveNodeForToken(node any, decodedToken string, nameProvider *jsonname.NameProvider) (next any, err error) { +func (p *Pointer) resolveNodeForToken(node any, decodedToken string, nameProvider NameProvider) (next any, err error) { // check for nil during traversal if isNil(node) { return nil, fmt.Errorf("cannot traverse through nil value at %q: %w", decodedToken, ErrPointer) @@ -272,6 +423,9 @@ func (p *Pointer) resolveNodeForToken(node any, decodedToken string, nameProvide return typeFromValue(mv), nil case reflect.Slice: + if decodedToken == dashToken { + return nil, errDashIntermediate() + } tokenIndex, err := strconv.Atoi(decodedToken) if err != nil { return nil, errors.Join(err, ErrPointer) @@ -312,16 +466,23 @@ func typeFromValue(v reflect.Value) any { } // GetForToken gets a value for a json pointer token 1 level deep. -func GetForToken(document any, decodedToken string) (any, reflect.Kind, error) { - return getSingleImpl(document, decodedToken, jsonname.DefaultJSONNameProvider) +func GetForToken(document any, decodedToken string, opts ...Option) (any, reflect.Kind, error) { + o := optionsWithDefaults(opts) + + return getSingleImpl(document, decodedToken, o.provider) } // SetForToken sets a value for a json pointer token 1 level deep. -func SetForToken(document any, decodedToken string, value any) (any, error) { - return document, setSingleImpl(document, value, decodedToken, jsonname.DefaultJSONNameProvider) +// +// See [Pointer.Set] for the mutation contract, in particular the handling of +// the RFC 6901 "-" token on slices. +func SetForToken(document any, decodedToken string, value any, opts ...Option) (any, error) { + o := optionsWithDefaults(opts) + + return setSingleImpl(document, value, decodedToken, o.provider) } -func getSingleImpl(node any, decodedToken string, nameProvider *jsonname.NameProvider) (any, reflect.Kind, error) { +func getSingleImpl(node any, decodedToken string, nameProvider NameProvider) (any, reflect.Kind, error) { rValue := reflect.Indirect(reflect.ValueOf(node)) kind := rValue.Kind() if isNil(node) { @@ -361,6 +522,9 @@ func getSingleImpl(node any, decodedToken string, nameProvider *jsonname.NamePro return nil, kind, errNoKey(decodedToken) case reflect.Slice: + if decodedToken == dashToken { + return nil, kind, errDashOnGet() + } tokenIndex, err := strconv.Atoi(decodedToken) if err != nil { return nil, kind, errors.Join(err, ErrPointer) @@ -378,14 +542,14 @@ func getSingleImpl(node any, decodedToken string, nameProvider *jsonname.NamePro } } -func setSingleImpl(node, data any, decodedToken string, nameProvider *jsonname.NameProvider) error { +func setSingleImpl(node, data any, decodedToken string, nameProvider NameProvider) (any, error) { // check for nil to prevent panic when calling rValue.Type() if isNil(node) { - return fmt.Errorf("cannot set field %q on nil value: %w", decodedToken, ErrPointer) + return node, fmt.Errorf("cannot set field %q on nil value: %w", decodedToken, ErrPointer) } if ns, ok := node.(JSONSetable); ok { - return ns.JSONSet(decodedToken, data) + return node, ns.JSONSet(decodedToken, data) } rValue := reflect.Indirect(reflect.ValueOf(node)) @@ -394,12 +558,12 @@ func setSingleImpl(node, data any, decodedToken string, nameProvider *jsonname.N case reflect.Struct: nm, ok := nameProvider.GetGoNameForType(rValue.Type(), decodedToken) if !ok { - return fmt.Errorf("object has no field %q: %w", decodedToken, ErrPointer) + return node, fmt.Errorf("object has no field %q: %w", decodedToken, ErrPointer) } fld := rValue.FieldByName(nm) if !fld.CanSet() { - return fmt.Errorf("can't set struct field %s to %v: %w", nm, data, ErrPointer) + return node, fmt.Errorf("can't set struct field %s to %v: %w", nm, data, ErrPointer) } value := reflect.ValueOf(data) @@ -407,33 +571,51 @@ func setSingleImpl(node, data any, decodedToken string, nameProvider *jsonname.N assignedType := fld.Type() if !valueType.AssignableTo(assignedType) { - return fmt.Errorf("can't set value with type %T to field %s with type %v: %w", data, nm, assignedType, ErrPointer) + return node, fmt.Errorf("can't set value with type %T to field %s with type %v: %w", data, nm, assignedType, ErrPointer) } fld.Set(value) - return nil + return node, nil case reflect.Map: kv := reflect.ValueOf(decodedToken) rValue.SetMapIndex(kv, reflect.ValueOf(data)) - return nil + return node, nil case reflect.Slice: + if decodedToken == dashToken { + // RFC 6901 §4 / RFC 6902 append semantics: terminal "-" appends + // the value to the slice. We rebind in place when the slice is + // reachable via an addressable ancestor; otherwise we return the + // new slice header for the parent (or the public Set) to rebind. + value := reflect.ValueOf(data) + elemType := rValue.Type().Elem() + if !value.Type().AssignableTo(elemType) { + return node, fmt.Errorf("can't append value of type %T to slice of %v: %w", data, elemType, ErrPointer) + } + newSlice := reflect.Append(rValue, value) + if rValue.CanSet() { + rValue.Set(newSlice) + return node, nil + } + return newSlice.Interface(), nil + } + tokenIndex, err := strconv.Atoi(decodedToken) if err != nil { - return errors.Join(err, ErrPointer) + return node, errors.Join(err, ErrPointer) } sLength := rValue.Len() if tokenIndex < 0 || tokenIndex >= sLength { - return errOutOfBounds(sLength, tokenIndex) + return node, errOutOfBounds(sLength, tokenIndex) } elem := rValue.Index(tokenIndex) if !elem.CanSet() { - return fmt.Errorf("can't set slice index %s to %v: %w", decodedToken, data, ErrPointer) + return node, fmt.Errorf("can't set slice index %s to %v: %w", decodedToken, data, ErrPointer) } value := reflect.ValueOf(data) @@ -441,15 +623,15 @@ func setSingleImpl(node, data any, decodedToken string, nameProvider *jsonname.N assignedType := elem.Type() if !valueType.AssignableTo(assignedType) { - return fmt.Errorf("can't set value with type %T to slice element %d with type %v: %w", data, tokenIndex, assignedType, ErrPointer) + return node, fmt.Errorf("can't set value with type %T to slice element %d with type %v: %w", data, tokenIndex, assignedType, ErrPointer) } elem.Set(value) - return nil + return node, nil default: - return errInvalidReference(decodedToken) + return node, errInvalidReference(decodedToken) } } @@ -460,24 +642,27 @@ func offsetSingleObject(dec *json.Decoder, decodedToken string) (int64, error) { if err != nil { return 0, err } - switch tk := tk.(type) { - case json.Delim: - switch tk { - case '{': - if err = drainSingle(dec); err != nil { - return 0, err - } - case '[': + key, ok := tk.(string) + if !ok { + return 0, fmt.Errorf("invalid key token %#v: %w", tk, ErrPointer) + } + if key == decodedToken { + return offset, nil + } + + // Consume the associated value. Scalars are fully read by a single + // Token() call; composite values must be drained. + tk, err = dec.Token() + if err != nil { + return 0, err + } + if delim, isDelim := tk.(json.Delim); isDelim { + switch delim { + case '{', '[': if err = drainSingle(dec); err != nil { return 0, err } } - case string: - if tk == decodedToken { - return offset, nil - } - default: - return 0, fmt.Errorf("invalid token %#v: %w", tk, ErrPointer) } } @@ -485,6 +670,9 @@ func offsetSingleObject(dec *json.Decoder, decodedToken string) (int64, error) { } func offsetSingleArray(dec *json.Decoder, decodedToken string) (int64, error) { + if decodedToken == dashToken { + return 0, errDashOnOffset() + } idx, err := strconv.Atoi(decodedToken) if err != nil { return 0, fmt.Errorf("token reference %q is not a number: %w: %w", decodedToken, err, ErrPointer) diff --git a/vendor/github.com/go-openapi/jsonreference/.gitignore b/vendor/github.com/go-openapi/jsonreference/.gitignore index 885dc27ab0..d8f4186fe5 100644 --- a/vendor/github.com/go-openapi/jsonreference/.gitignore +++ b/vendor/github.com/go-openapi/jsonreference/.gitignore @@ -3,4 +3,3 @@ .idea .env .mcp.json -.claude/ diff --git a/vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md b/vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md index 7faeb83a77..3cfbca6a6a 100644 --- a/vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md +++ b/vendor/github.com/go-openapi/jsonreference/CONTRIBUTORS.md @@ -4,18 +4,18 @@ | Total Contributors | Total Contributions | | --- | --- | -| 9 | 73 | +| 9 | 79 | | Username | All Time Contribution Count | All Commits | | --- | --- | --- | -| @fredbi | 36 | https://github.com/go-openapi/jsonreference/commits?author=fredbi | -| @casualjim | 25 | https://github.com/go-openapi/jsonreference/commits?author=casualjim | -| @youyuanwu | 5 | https://github.com/go-openapi/jsonreference/commits?author=youyuanwu | -| @olivierlemasle | 2 | https://github.com/go-openapi/jsonreference/commits?author=olivierlemasle | -| @apelisse | 1 | https://github.com/go-openapi/jsonreference/commits?author=apelisse | -| @gbjk | 1 | https://github.com/go-openapi/jsonreference/commits?author=gbjk | -| @honza | 1 | https://github.com/go-openapi/jsonreference/commits?author=honza | -| @Neo2308 | 1 | https://github.com/go-openapi/jsonreference/commits?author=Neo2308 | -| @erraggy | 1 | https://github.com/go-openapi/jsonreference/commits?author=erraggy | +| @fredbi | 42 | | +| @casualjim | 25 | | +| @youyuanwu | 5 | | +| @olivierlemasle | 2 | | +| @apelisse | 1 | | +| @gbjk | 1 | | +| @honza | 1 | | +| @Neo2308 | 1 | | +| @erraggy | 1 | | - _this file was generated by the [Contributors GitHub Action](https://github.com/github/contributors)_ + _this file was generated by the [Contributors GitHub Action](https://github.com/github-community-projects/contributors)_ diff --git a/vendor/github.com/go-openapi/jsonreference/README.md b/vendor/github.com/go-openapi/jsonreference/README.md index adea160619..43d05b0506 100644 --- a/vendor/github.com/go-openapi/jsonreference/README.md +++ b/vendor/github.com/go-openapi/jsonreference/README.md @@ -14,15 +14,9 @@ An implementation of JSON Reference for golang. + ## Status @@ -74,9 +68,9 @@ on top of which it has been built. ## Other documentation * [All-time contributors](./CONTRIBUTORS.md) -* [Contributing guidelines](.github/CONTRIBUTING.md) -* [Maintainers documentation](docs/MAINTAINERS.md) -* [Code style](docs/STYLE.md) +* [Contributing guidelines][contributing-doc-site] +* [Maintainers documentation][maintainers-doc-site] +* [Code style][style-doc-site] ## Cutting a new release @@ -115,7 +109,7 @@ Maintainers can cut a new release by either: [slack-badge]: https://img.shields.io/badge/slack-blue?link=https%3A%2F%2Fgoswagger.slack.com%2Farchives%2FC04R30YM [slack-url]: https://goswagger.slack.com/archives/C04R30YMU [discord-badge]: https://img.shields.io/discord/1446918742398341256?logo=discord&label=discord&color=blue -[discord-url]: https://discord.gg/twZ9BwT3 +[discord-url]: https://discord.gg/FfnFYaC3k5 [license-badge]: http://img.shields.io/badge/license-Apache%20v2-orange.svg @@ -125,3 +119,7 @@ Maintainers can cut a new release by either: [goversion-url]: https://github.com/go-openapi/jsonreference/blob/master/go.mod [top-badge]: https://img.shields.io/github/languages/top/go-openapi/jsonreference [commits-badge]: https://img.shields.io/github/commits-since/go-openapi/jsonreference/latest + +[contributing-doc-site]: https://go-openapi.github.io/doc-site/contributing/contributing/index.html +[maintainers-doc-site]: https://go-openapi.github.io/doc-site/maintainers/index.html +[style-doc-site]: https://go-openapi.github.io/doc-site/contributing/style/index.html diff --git a/vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go b/vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go new file mode 100644 index 0000000000..adc4426873 --- /dev/null +++ b/vendor/github.com/go-openapi/swag/jsonname/go_name_provider.go @@ -0,0 +1,286 @@ +// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers +// SPDX-License-Identifier: Apache-2.0 + +package jsonname + +import ( + "reflect" + "strings" + "sync" +) + +var _ providerIface = (*GoNameProvider)(nil) + +// GoNameProvider resolves json property names to go struct field names following +// the same rules as the standard library's [encoding/json] package. +// +// Contrary to [NameProvider], it considers exported fields without a json tag, +// and promotes fields from anonymous embedded struct types. +// +// Rules (aligned with encoding/json): +// +// - unexported fields are ignored; +// - a field tagged `json:"-"` is ignored; +// - a field tagged `json:"-,"` is kept under the json name "-" (stdlib quirk); +// - a field tagged `json:""` or with no json tag at all keeps its Go name as json name; +// - anonymous struct fields without an explicit json tag have their fields +// promoted into the parent, following breadth-first depth rules: +// a shallower field wins over a deeper one; at equal depth, a conflict +// discards all conflicting fields unless exactly one has an explicit json tag. +// +// This type is safe for concurrent use. +type GoNameProvider struct { + lock sync.Mutex + index map[reflect.Type]nameIndex +} + +// NewGoNameProvider creates a new [GoNameProvider]. +func NewGoNameProvider() *GoNameProvider { + return &GoNameProvider{ + index: make(map[reflect.Type]nameIndex), + } +} + +// GetJSONNames gets all the json property names for a type. +func (n *GoNameProvider) GetJSONNames(subject any) []string { + n.lock.Lock() + defer n.lock.Unlock() + + tpe := reflect.Indirect(reflect.ValueOf(subject)).Type() + names := n.nameIndexFor(tpe) + + res := make([]string, 0, len(names.jsonNames)) + for k := range names.jsonNames { + res = append(res, k) + } + + return res +} + +// GetJSONName gets the json name for a go property name. +func (n *GoNameProvider) GetJSONName(subject any, name string) (string, bool) { + tpe := reflect.Indirect(reflect.ValueOf(subject)).Type() + + return n.GetJSONNameForType(tpe, name) +} + +// GetJSONNameForType gets the json name for a go property name on a given type. +func (n *GoNameProvider) GetJSONNameForType(tpe reflect.Type, name string) (string, bool) { + n.lock.Lock() + defer n.lock.Unlock() + + names := n.nameIndexFor(tpe) + nme, ok := names.goNames[name] + + return nme, ok +} + +// GetGoName gets the go name for a json property name. +func (n *GoNameProvider) GetGoName(subject any, name string) (string, bool) { + tpe := reflect.Indirect(reflect.ValueOf(subject)).Type() + + return n.GetGoNameForType(tpe, name) +} + +// GetGoNameForType gets the go name for a given type for a json property name. +func (n *GoNameProvider) GetGoNameForType(tpe reflect.Type, name string) (string, bool) { + n.lock.Lock() + defer n.lock.Unlock() + + names := n.nameIndexFor(tpe) + nme, ok := names.jsonNames[name] + + return nme, ok +} + +func (n *GoNameProvider) nameIndexFor(tpe reflect.Type) nameIndex { + if names, ok := n.index[tpe]; ok { + return names + } + + names := buildGoNameIndex(tpe) + n.index[tpe] = names + + return names +} + +// fieldEntry captures a candidate field discovered while walking a struct +// along with the indirection path from the root type (used to resolve conflicts +// by depth in the same way encoding/json does). +type fieldEntry struct { + goName string + jsonName string + index []int + tagged bool +} + +func buildGoNameIndex(tpe reflect.Type) nameIndex { + fields := collectGoFields(tpe) + + idx := make(map[string]string, len(fields)) + reverseIdx := make(map[string]string, len(fields)) + for _, f := range fields { + idx[f.jsonName] = f.goName + reverseIdx[f.goName] = f.jsonName + } + + return nameIndex{jsonNames: idx, goNames: reverseIdx} +} + +// collectGoFields walks tpe breadth-first along anonymous struct fields, +// reproducing the field selection performed by encoding/json.typeFields. +func collectGoFields(tpe reflect.Type) []fieldEntry { + if tpe.Kind() != reflect.Struct { + return nil + } + + type queued struct { + typ reflect.Type + index []int + } + + current := []queued{} + next := []queued{{typ: tpe}} + visited := map[reflect.Type]bool{tpe: true} + + var ( + candidates []fieldEntry + count = map[string]int{} + nextCount = map[string]int{} + ) + + for len(next) > 0 { + current, next = next, current[:0] + count, nextCount = nextCount, count + for k := range nextCount { + delete(nextCount, k) + } + + for _, q := range current { + for i := 0; i < q.typ.NumField(); i++ { + sf := q.typ.Field(i) + + if sf.Anonymous { + ft := sf.Type + if ft.Kind() == reflect.Ptr { + ft = ft.Elem() + } + if !sf.IsExported() && ft.Kind() != reflect.Struct { + continue + } + } else if !sf.IsExported() { + continue + } + + tag := sf.Tag.Get("json") + if tag == "-" { + continue + } + jsonName, _ := parseJSONTag(tag) + tagged := jsonName != "" + + ft := sf.Type + if ft.Kind() == reflect.Ptr { + ft = ft.Elem() + } + + if sf.Anonymous && ft.Kind() == reflect.Struct && !tagged { + if visited[ft] { + continue + } + visited[ft] = true + + index := make([]int, len(q.index)+1) + copy(index, q.index) + index[len(q.index)] = i + next = append(next, queued{typ: ft, index: index}) + + continue + } + + name := jsonName + if name == "" { + name = sf.Name + } + + index := make([]int, len(q.index)+1) + copy(index, q.index) + index[len(q.index)] = i + + candidates = append(candidates, fieldEntry{ + goName: sf.Name, + jsonName: name, + index: index, + tagged: tagged, + }) + nextCount[name]++ + } + } + } + + return dominantFields(candidates) +} + +// dominantFields applies the Go encoding/json conflict resolution rules: +// at each JSON name, the shallowest field wins; at equal depth, a uniquely +// tagged candidate wins; otherwise all candidates for that name are dropped. +func dominantFields(candidates []fieldEntry) []fieldEntry { + byName := make(map[string][]fieldEntry, len(candidates)) + for _, c := range candidates { + byName[c.jsonName] = append(byName[c.jsonName], c) + } + + out := make([]fieldEntry, 0, len(byName)) + for _, group := range byName { + if len(group) == 1 { + out = append(out, group[0]) + + continue + } + + minDepth := len(group[0].index) + for _, c := range group[1:] { + if len(c.index) < minDepth { + minDepth = len(c.index) + } + } + + var shallow []fieldEntry + for _, c := range group { + if len(c.index) == minDepth { + shallow = append(shallow, c) + } + } + + if len(shallow) == 1 { + out = append(out, shallow[0]) + + continue + } + + var tagged []fieldEntry + for _, c := range shallow { + if c.tagged { + tagged = append(tagged, c) + } + } + if len(tagged) == 1 { + out = append(out, tagged[0]) + } + } + + return out +} + +// parseJSONTag returns the name component of a json struct tag and whether +// it carried any non-name option (kept for future-proofing, e.g. "omitempty"). +func parseJSONTag(tag string) (string, string) { + if tag == "" { + return "", "" + } + if idx := strings.IndexByte(tag, ','); idx >= 0 { + return tag[:idx], tag[idx+1:] + } + + return tag, "" +} diff --git a/vendor/github.com/go-openapi/swag/jsonname/ifaces.go b/vendor/github.com/go-openapi/swag/jsonname/ifaces.go new file mode 100644 index 0000000000..812ace5639 --- /dev/null +++ b/vendor/github.com/go-openapi/swag/jsonname/ifaces.go @@ -0,0 +1,14 @@ +// SPDX-FileCopyrightText: Copyright 2015-2025 go-swagger maintainers +// SPDX-License-Identifier: Apache-2.0 + +package jsonname + +import "reflect" + +// providerIface is an unexported compile-time contract that every name provider +// in this package is expected to satisfy. +// It mirrors the interface declared by the main consumer of this module: [github.com/go-openapi/jsonpointer.NameProvider]. +type providerIface interface { + GetGoName(subject any, name string) (string, bool) + GetGoNameForType(tpe reflect.Type, name string) (string, bool) +} diff --git a/vendor/github.com/go-openapi/swag/jsonname/name_provider.go b/vendor/github.com/go-openapi/swag/jsonname/name_provider.go index 8eaf1bece8..9f5da7a016 100644 --- a/vendor/github.com/go-openapi/swag/jsonname/name_provider.go +++ b/vendor/github.com/go-openapi/swag/jsonname/name_provider.go @@ -12,6 +12,8 @@ import ( // DefaultJSONNameProvider is the default cache for types. var DefaultJSONNameProvider = NewNameProvider() +var _ providerIface = (*NameProvider)(nil) + // NameProvider represents an object capable of translating from go property names // to json property names. // diff --git a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go index 48657b0894..2e9be97aeb 100644 --- a/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go +++ b/vendor/github.com/openshift/api/config/v1/types_tlssecurityprofile.go @@ -7,10 +7,16 @@ type TLSSecurityProfile struct { // type is one of Old, Intermediate, Modern or Custom. Custom provides the // ability to specify individual TLS security profile parameters. // - // The profiles are based on version 5.7 of the Mozilla Server Side TLS - // configuration guidelines. The cipher lists consist of the configuration's - // "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - // See: https://ssl-config.mozilla.org/guidelines/5.7.json + // The cipher and groups lists in these profiles are based on version 5.8 of the + // Mozilla Server Side TLS configuration guidelines. + // See: https://ssl-config.mozilla.org/guidelines/5.8.json + // + // The groups are listed in suggested preference order, with the most preferred group first. + // Note that not all platform components honor the ordering: Go-based components use Go's + // internal preference order and treat this list as a filter of allowed groups rather than + // an ordered preference. + // Note that X25519MLKEM768 is a post-quantum hybrid group that is not + // FIPS-approved and should be ignored by components running in FIPS mode. // // The profiles are intent based, so they may change over time as new ciphers are // developed and existing ciphers are found to be insecure. Depending on @@ -23,6 +29,10 @@ type TLSSecurityProfile struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -39,11 +49,14 @@ type TLSSecurityProfile struct { // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 + // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA @@ -56,6 +69,10 @@ type TLSSecurityProfile struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -75,7 +92,9 @@ type TLSSecurityProfile struct { // modern is a TLS security profile for use with clients that support TLS 1.3 and // do not need backward compatibility for older clients. - // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS13 // ciphers: @@ -88,8 +107,11 @@ type TLSSecurityProfile struct { Modern *ModernTLSProfile `json:"modern,omitempty"` // custom is a user-defined TLS security profile. Be extremely careful using a custom - // profile as invalid configurations can be catastrophic. An example custom profile - // looks like this: + // profile as invalid configurations can be catastrophic. + // + // The supported groups list for this profile is empty by default. + // + // An example custom profile looks like this: // // minTLSVersion: VersionTLS11 // ciphers: @@ -142,6 +164,33 @@ const ( TLSProfileCustomType TLSProfileType = "Custom" ) +// TLSGroup is a supported group identifier that can be used in TLSProfile.Groups. +// There is a one-to-one mapping between these names and the group IDs defined +// in Go's crypto/tls package based on IANA's "TLS Supported Groups" registry: +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8 +// Note that X25519MLKEM768 is a post-quantum hybrid group that is not +// FIPS-approved and should be ignored by components running in FIPS mode. +// +// +kubebuilder:validation:Enum=X25519;secp256r1;secp384r1;secp521r1;X25519MLKEM768;SecP256r1MLKEM768;SecP384r1MLKEM1024 +type TLSGroup string + +const ( + // TLSGroupX25519 represents X25519. + TLSGroupX25519 TLSGroup = "X25519" + // TLSGroupSecP256r1 represents P-256 (secp256r1). + TLSGroupSecP256r1 TLSGroup = "secp256r1" + // TLSGroupSecP384r1 represents P-384 (secp384r1). + TLSGroupSecP384r1 TLSGroup = "secp384r1" + // TLSGroupSecP521r1 represents P-521 (secp521r1). + TLSGroupSecP521r1 TLSGroup = "secp521r1" + // TLSGroupX25519MLKEM768 represents X25519MLKEM768. + TLSGroupX25519MLKEM768 TLSGroup = "X25519MLKEM768" + // TLSGroupSecP256r1MLKEM768 represents SecP256r1MLKEM768. + TLSGroupSecP256r1MLKEM768 TLSGroup = "SecP256r1MLKEM768" + // TLSGroupSecP384r1MLKEM1024 represents SecP384r1MLKEM1024. + TLSGroupSecP384r1MLKEM1024 TLSGroup = "SecP384r1MLKEM1024" +) + // TLSProfileSpec is the desired behavior of a TLSSecurityProfile. type TLSProfileSpec struct { // ciphers is used to specify the cipher algorithms that are negotiated @@ -155,6 +204,30 @@ type TLSProfileSpec struct { // and are always enabled when TLS 1.3 is negotiated. // +listType=atomic Ciphers []string `json:"ciphers"` + // groups is an optional, ordered field used to specify the supported groups (formerly known as + // elliptic curves) that are used during the TLS handshake. The order of the groups represents + // a suggested preference, with the most preferred group first. Note that not all platform + // components honor the ordering: Go-based components use Go's internal preference order and + // treat this list as a filter of allowed groups rather than an ordered preference. + // Operators may remove entries their operands do not support. + // + // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + // subject to change over time and may be different per platform component depending on the underlying TLS + // libraries they use. If specified, the list must contain at least one and at most 7 groups, + // and each group must be unique. + // + // For example, to use X25519 and secp256r1 (yaml): + // + // groups: + // - X25519 + // - secp256r1 + // + // +optional + // +listType=set + // +kubebuilder:validation:MaxItems=7 + // +kubebuilder:validation:MinItems=1 + // +openshift:enable:FeatureGate=TLSGroupPreferences + Groups []TLSGroup `json:"groups,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -187,16 +260,22 @@ const ( // TLSProfiles contains a map of TLSProfileType names to TLSProfileSpec. // -// These profiles are based on version 5.7 of the Mozilla Server Side TLS -// configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json +// The cipher and groups lists in these profiles are based on version 5.8 of the +// Mozilla Server Side TLS configuration guidelines. +// See: https://ssl-config.mozilla.org/guidelines/5.8.json // // Each Ciphers slice is the configuration's "ciphersuites" followed by the -// Go-specific "ciphers" from the guidelines JSON. +// "ciphers" from the guidelines JSON. +// +// Groups are listed in suggested preference order, though Go-based components may use +// their own internal ordering. TLSProfiles Old, Intermediate, Modern include by default +// the following groups: X25519MLKEM768, X25519, secp256r1, secp384r1 // // NOTE: The caller needs to make sure to check that these constants are valid // for their binary. Not all entries map to values for all binaries. In the case // of ties, the kube-apiserver wins. Do not fail, just be sure to include only -// valid entries and everything will be ok. +// valid entries and everything will be ok. In particular, X25519MLKEM768 is +// not FIPS-approved and must be omitted by components running in FIPS mode. var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ TLSProfileOldType: { Ciphers: []string{ @@ -213,15 +292,24 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-RSA-AES128-SHA", + "ECDHE-ECDSA-AES256-SHA384", + "ECDHE-RSA-AES256-SHA384", "ECDHE-ECDSA-AES256-SHA", "ECDHE-RSA-AES256-SHA", "AES128-GCM-SHA256", "AES256-GCM-SHA384", "AES128-SHA256", + "AES256-SHA256", "AES128-SHA", "AES256-SHA", "DES-CBC3-SHA", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS10, }, TLSProfileIntermediateType: { @@ -236,6 +324,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS12, }, TLSProfileModernType: { @@ -244,6 +338,12 @@ var TLSProfiles = map[TLSProfileType]*TLSProfileSpec{ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", }, + Groups: []TLSGroup{ + TLSGroupX25519MLKEM768, + TLSGroupX25519, + TLSGroupSecP256r1, + TLSGroupSecP384r1, + }, MinTLSVersion: VersionTLS13, }, } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go index 8798482e47..13f1bc390d 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.deepcopy.go @@ -6412,6 +6412,11 @@ func (in *TLSProfileSpec) DeepCopyInto(out *TLSProfileSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.Groups != nil { + in, out := &in.Groups, &out.Groups + *out = make([]TLSGroup, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml index 7d4386cab5..13635bff49 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.featuregated-crd-manifests.yaml @@ -8,6 +8,7 @@ apiservers.config.openshift.io: FeatureGates: - KMSEncryption - TLSAdherence + - TLSGroupPreferences FilenameOperatorName: config-operator FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_10" diff --git a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go index 65c3c2ce88..1e9c65bf86 100644 --- a/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1/zz_generated.swagger_doc_generated.go @@ -3164,6 +3164,7 @@ func (OldTLSProfile) SwaggerDoc() map[string]string { var map_TLSProfileSpec = map[string]string{ "": "TLSProfileSpec is the desired behavior of a TLSSecurityProfile.", "ciphers": "ciphers is used to specify the cipher algorithms that are negotiated during the TLS handshake. Operators may remove entries that their operands do not support. For example, to use only ECDHE-RSA-AES128-GCM-SHA256 (yaml):\n\n ciphers:\n - ECDHE-RSA-AES128-GCM-SHA256\n\nTLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable and are always enabled when TLS 1.3 is negotiated.", + "groups": "groups is an optional, ordered field used to specify the supported groups (formerly known as elliptic curves) that are used during the TLS handshake. The order of the groups represents a suggested preference, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Operators may remove entries their operands do not support.\n\nWhen omitted, this means no opinion and the platform is left to choose reasonable defaults which are subject to change over time and may be different per platform component depending on the underlying TLS libraries they use. If specified, the list must contain at least one and at most 7 groups, and each group must be unique.\n\nFor example, to use X25519 and secp256r1 (yaml):\n\n groups:\n - X25519\n - secp256r1", "minTLSVersion": "minTLSVersion is used to specify the minimal version of the TLS protocol that is negotiated during the TLS handshake. For example, to use TLS versions 1.1, 1.2 and 1.3 (yaml):\n\n minTLSVersion: VersionTLS11", } @@ -3173,11 +3174,11 @@ func (TLSProfileSpec) SwaggerDoc() map[string]string { var map_TLSSecurityProfile = map[string]string{ "": "TLSSecurityProfile defines the schema for a TLS security profile. This object is used by operators to apply TLS security settings to operands.", - "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe profiles are based on version 5.7 of the Mozilla Server Side TLS configuration guidelines. The cipher lists consist of the configuration's \"ciphersuites\" followed by the Go-specific \"ciphers\" from the guidelines. See: https://ssl-config.mozilla.org/guidelines/5.7.json\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", - "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", - "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", - "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", - "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic. An example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", + "type": "type is one of Old, Intermediate, Modern or Custom. Custom provides the ability to specify individual TLS security profile parameters.\n\nThe cipher and groups lists in these profiles are based on version 5.8 of the Mozilla Server Side TLS configuration guidelines. See: https://ssl-config.mozilla.org/guidelines/5.8.json\n\nThe groups are listed in suggested preference order, with the most preferred group first. Note that not all platform components honor the ordering: Go-based components use Go's internal preference order and treat this list as a filter of allowed groups rather than an ordered preference. Note that X25519MLKEM768 is a post-quantum hybrid group that is not FIPS-approved and should be ignored by components running in FIPS mode.\n\nThe profiles are intent based, so they may change over time as new ciphers are developed and existing ciphers are found to be insecure. Depending on precisely which ciphers are available to a process, the list may be reduced.", + "old": "old is a TLS profile for use when services need to be accessed by very old clients or libraries and should be used only as a last resort.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS10\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-ECDSA-AES128-SHA256\n - ECDHE-RSA-AES128-SHA256\n - ECDHE-ECDSA-AES128-SHA\n - ECDHE-RSA-AES128-SHA\n - ECDHE-ECDSA-AES256-SHA384\n - ECDHE-RSA-AES256-SHA384\n - ECDHE-ECDSA-AES256-SHA\n - ECDHE-RSA-AES256-SHA\n - AES128-GCM-SHA256\n - AES256-GCM-SHA384\n - AES128-SHA256\n - AES256-SHA256\n - AES128-SHA\n - AES256-SHA\n - DES-CBC3-SHA", + "intermediate": "intermediate is a TLS profile for use when you do not need compatibility with legacy clients and want to remain highly secure while being compatible with most clients currently in use.\n\nThe supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1.\n\nThis profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS12\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES256-GCM-SHA384\n - ECDHE-RSA-AES256-GCM-SHA384\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305", + "modern": "modern is a TLS security profile for use with clients that support TLS 1.3 and do not need backward compatibility for older clients. The supported groups list includes by default the following groups in suggested preference order (ordering may not be honored by all implementations): X25519MLKEM768, X25519, secp256r1, secp384r1. This profile is equivalent to a Custom profile specified as:\n minTLSVersion: VersionTLS13\n ciphers:\n - TLS_AES_128_GCM_SHA256\n - TLS_AES_256_GCM_SHA384\n - TLS_CHACHA20_POLY1305_SHA256", + "custom": "custom is a user-defined TLS security profile. Be extremely careful using a custom profile as invalid configurations can be catastrophic.\n\nThe supported groups list for this profile is empty by default.\n\nAn example custom profile looks like this:\n\n minTLSVersion: VersionTLS11\n ciphers:\n - ECDHE-ECDSA-CHACHA20-POLY1305\n - ECDHE-RSA-CHACHA20-POLY1305\n - ECDHE-RSA-AES128-GCM-SHA256\n - ECDHE-ECDSA-AES128-GCM-SHA256", } func (TLSSecurityProfile) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go index 1f8693492d..cc2a3cb3bb 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/types_cluster_monitoring.go @@ -158,6 +158,12 @@ type ClusterMonitoringSpec struct { // When set, at least one field must be specified within monitoringPluginConfig. // +optional MonitoringPluginConfig MonitoringPluginConfig `json:"monitoringPluginConfig,omitempty,omitzero"` + // kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics + // agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about + // the state of Kubernetes objects such as Deployments, Nodes, and Pods. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // +optional + KubeStateMetricsConfig KubeStateMetricsConfig `json:"kubeStateMetricsConfig,omitempty,omitzero"` } // OpenShiftStateMetricsConfig provides configuration options for the openshift-state-metrics agent @@ -796,12 +802,43 @@ type AlertmanagerConfig struct { CustomConfig AlertmanagerCustomConfig `json:"customConfig,omitempty,omitzero"` } +// UserAlertmanagerConfigSelection controls whether the platform Alertmanager selects +// AlertmanagerConfig resources from user-defined namespaces. +// +enum +type UserAlertmanagerConfigSelection string + +const ( + // UserAlertmanagerConfigSelectionSelectable enables user-defined namespaces to be selected + // for AlertmanagerConfig lookups on the platform Alertmanager. + UserAlertmanagerConfigSelectionSelectable UserAlertmanagerConfigSelection = "Selectable" + // UserAlertmanagerConfigSelectionNone disables user-defined namespaces from being selected + // for AlertmanagerConfig lookups on the platform Alertmanager. + UserAlertmanagerConfigSelectionNone UserAlertmanagerConfigSelection = "None" +) + // AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. // alertmanagerCustomConfig provides configuration options for the default Alertmanager instance // that runs in the `openshift-monitoring` namespace. Use this configuration to control -// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled. +// whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, +// and how its pods are scheduled. // +kubebuilder:validation:MinProperties=1 type AlertmanagerCustomConfig struct { + // userAlertmanagerConfigSelection is an optional field that controls whether user-defined + // namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager + // instance in the `openshift-monitoring` namespace. + // Valid values are Selectable and None. + // When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources + // in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in + // the cluster-monitoring-config ConfigMap. + // When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups + // on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` + // in the cluster-monitoring-config ConfigMap. + // This setting only applies when the user-workload monitoring Alertmanager is not enabled. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `None`. + // +optional + // +kubebuilder:validation:Enum=Selectable;None + UserAlertmanagerConfigSelection UserAlertmanagerConfigSelection `json:"userAlertmanagerConfigSelection,omitempty"` // logLevel defines the verbosity of logs emitted by Alertmanager. // This field allows users to control the amount and severity of logs generated, which can be useful // for debugging issues or reducing noise in production environments. @@ -2574,3 +2611,154 @@ type Audit struct { // +required Profile AuditProfile `json:"profile,omitempty"` } + +// KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent +// that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics +// about the state of Kubernetes objects such as Deployments, Nodes, and Pods. +// +kubebuilder:validation:MinProperties=1 +type KubeStateMetricsConfig struct { + // nodeSelector defines the nodes on which the Pods are scheduled. + // nodeSelector is optional. + // + // When omitted, this means the user has no opinion and the platform is left + // to choose reasonable defaults. These defaults are subject to change over time. + // The current default value is `kubernetes.io/os: linux`. + // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. + // +optional + // +kubebuilder:validation:MinProperties=1 + // +kubebuilder:validation:MaxProperties=10 + NodeSelector map[string]string `json:"nodeSelector,omitempty"` + // resources defines the compute resource requests and limits for the kube-state-metrics container. + // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. + // When not specified, defaults are used by the platform. Requests cannot exceed limits. + // This field is optional. + // More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // This is a simplified API that maps to Kubernetes ResourceRequirements. + // The current default values are: + // resources: + // - name: cpu + // request: 4m + // limit: null + // - name: memory + // request: 40Mi + // limit: null + // Maximum length for this list is 5. + // Minimum length for this list is 1. + // Each resource name must be unique within this list. + // +optional + // +listType=map + // +listMapKey=name + // +kubebuilder:validation:MaxItems=5 + // +kubebuilder:validation:MinItems=1 + Resources []ContainerResource `json:"resources,omitempty"` + // tolerations defines tolerations for the pods. + // tolerations is optional. + // + // When omitted, no tolerations are applied. This default is subject to change over time. + // When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. + // Each toleration's operator, when specified, must be either "Exists" or "Equal". + // Each toleration's effect, when specified, must be one of "NoSchedule", "PreferNoSchedule", or "NoExecute". + // An empty or unset effect means match all effects. + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=atomic + // +kubebuilder:validation:XValidation:rule="self.all(t, !has(t.operator) || t.operator == 'Exists' || t.operator == 'Equal')",message="operator must be either Exists or Equal" + // +kubebuilder:validation:XValidation:rule="self.all(t, !has(t.effect) || t.effect == 'NoSchedule' || t.effect == 'PreferNoSchedule' || t.effect == 'NoExecute' || t.effect == '')",message="effect must be NoSchedule, PreferNoSchedule, NoExecute, or empty" + // +optional + Tolerations []v1.Toleration `json:"tolerations,omitempty"` + // topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed + // across topology domains such as zones, nodes, or other user-defined labels. + // topologySpreadConstraints is optional. + // This helps improve high availability and resource efficiency by avoiding placing + // too many replicas in the same failure domain. + // + // This field maps directly to the `topologySpreadConstraints` field in the Pod spec. + // When omitted, no topology spread constraints are applied. This default is subject to change over time. + // When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. + // Entries must have unique topologyKey and whenUnsatisfiable pairs. + // Each entry's whenUnsatisfiable must be either "DoNotSchedule" or "ScheduleAnyway". + // Each entry's maxSkew must be at least 1. + // When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be "DoNotSchedule". + // +kubebuilder:validation:MaxItems=10 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=topologyKey + // +listMapKey=whenUnsatisfiable + // +kubebuilder:validation:XValidation:rule="self.all(c, c.whenUnsatisfiable == 'DoNotSchedule' || c.whenUnsatisfiable == 'ScheduleAnyway')",message="whenUnsatisfiable must be either DoNotSchedule or ScheduleAnyway" + // +kubebuilder:validation:XValidation:rule="self.all(c, c.maxSkew >= 1)",message="maxSkew must be at least 1" + // +kubebuilder:validation:XValidation:rule="self.all(c, !has(c.minDomains) || c.minDomains >= 1)",message="minDomains must be at least 1" + // +kubebuilder:validation:XValidation:rule="self.all(c, !has(c.minDomains) || c.whenUnsatisfiable == 'DoNotSchedule')",message="minDomains can only be used when whenUnsatisfiable is DoNotSchedule" + // +optional + TopologySpreadConstraints []v1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + // additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics + // in kube-state-metrics. + // Currently, only "Job" and "CronJob" resources are supported due to cardinality concerns. + // Each entry specifies a resource name and a list of Kubernetes label names to expose. + // Use "*" in the labels list to expose all labels for a given resource. + // additionalResourceLabels is optional. + // When omitted, no additional Kubernetes object labels are exposed as metrics + // by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). + // Use this field to opt in to exposing specific Kubernetes labels as metric labels + // for the supported resource types. + // Minimum length for this list is 1. + // Maximum length for this list is 2. + // Each resource name must be unique within this list. + // +optional + // +kubebuilder:validation:MaxItems=2 + // +kubebuilder:validation:MinItems=1 + // +listType=map + // +listMapKey=resource + AdditionalResourceLabels []KubeStateMetricsResourceLabels `json:"additionalResourceLabels,omitempty"` +} + +// KubeStateMetricsResourceName is the name of a Kubernetes resource whose labels can be exposed +// as metrics by kube-state-metrics. Currently, only "Job" and "CronJob" are supported +// due to cardinality concerns. +// Valid values are "Job" and "CronJob". +// +kubebuilder:validation:Enum=Job;CronJob +type KubeStateMetricsResourceName string + +const ( + // KubeStateMetricsResourceJob indicates the Kubernetes Job resource. + KubeStateMetricsResourceJob KubeStateMetricsResourceName = "Job" + // KubeStateMetricsResourceCronJob indicates the Kubernetes CronJob resource. + KubeStateMetricsResourceCronJob KubeStateMetricsResourceName = "CronJob" +) + +// KubeStateMetricsLabelName is the name of a Kubernetes label to expose as a metric +// via kube-state-metrics. Use "*" to expose all labels for a resource. +// Must be either the wildcard "*" or a valid Kubernetes label key. +// A valid label key has an optional DNS subdomain prefix followed by a "/" and a name segment, +// or just a name segment without a prefix. The name segment must be 63 characters or fewer, +// beginning and ending with an alphanumeric character, with dashes, underscores, dots, and +// alphanumerics in between. +// Must be at least 1 character and at most 253 characters in length. +// +kubebuilder:validation:MinLength=1 +// +kubebuilder:validation:MaxLength=253 +// +kubebuilder:validation:XValidation:rule="self == '*' || !format.qualifiedName().validate(self).hasValue()",message="must be a valid Kubernetes label key or the wildcard '*'" +type KubeStateMetricsLabelName string + +// KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics +// for a given resource type in kube-state-metrics. +type KubeStateMetricsResourceLabels struct { + // resource is the Kubernetes resource name whose labels should be exposed as metrics. + // Currently, only "Job" and "CronJob" are supported due to cardinality concerns. + // Valid values are "Job" and "CronJob". + // This field is required. + // +required + Resource KubeStateMetricsResourceName `json:"resource,omitempty"` + // labels is the list of Kubernetes label names to expose as metrics for this resource. + // Use "*" to expose all labels for the specified resource. + // When "*" is specified, it must be the only entry in the list; mixing "*" with + // specific label names is not allowed. + // This field is required. + // Each label name must be unique within this list. + // Minimum length for this list is 1. + // Maximum length for this list is 50. + // +required + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=50 + // +listType=set + // +kubebuilder:validation:XValidation:rule="!self.exists(l, l == '*') || self.size() == 1",message="when '*' is specified, no other labels may be listed" + Labels []KubeStateMetricsLabelName `json:"labels,omitempty"` +} diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go index a481b6b4c6..7313338a3b 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.deepcopy.go @@ -451,6 +451,7 @@ func (in *ClusterMonitoringSpec) DeepCopyInto(out *ClusterMonitoringSpec) { in.ThanosQuerierConfig.DeepCopyInto(&out.ThanosQuerierConfig) in.NodeExporterConfig.DeepCopyInto(&out.NodeExporterConfig) in.MonitoringPluginConfig.DeepCopyInto(&out.MonitoringPluginConfig) + in.KubeStateMetricsConfig.DeepCopyInto(&out.KubeStateMetricsConfig) return } @@ -751,6 +752,78 @@ func (in *KeyConfig) DeepCopy() *KeyConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeStateMetricsConfig) DeepCopyInto(out *KubeStateMetricsConfig) { + *out = *in + if in.NodeSelector != nil { + in, out := &in.NodeSelector, &out.NodeSelector + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]ContainerResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.Tolerations != nil { + in, out := &in.Tolerations, &out.Tolerations + *out = make([]v1.Toleration, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.TopologySpreadConstraints != nil { + in, out := &in.TopologySpreadConstraints, &out.TopologySpreadConstraints + *out = make([]v1.TopologySpreadConstraint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.AdditionalResourceLabels != nil { + in, out := &in.AdditionalResourceLabels, &out.AdditionalResourceLabels + *out = make([]KubeStateMetricsResourceLabels, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeStateMetricsConfig. +func (in *KubeStateMetricsConfig) DeepCopy() *KubeStateMetricsConfig { + if in == nil { + return nil + } + out := new(KubeStateMetricsConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeStateMetricsResourceLabels) DeepCopyInto(out *KubeStateMetricsResourceLabels) { + *out = *in + if in.Labels != nil { + in, out := &in.Labels, &out.Labels + *out = make([]KubeStateMetricsLabelName, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeStateMetricsResourceLabels. +func (in *KubeStateMetricsResourceLabels) DeepCopy() *KubeStateMetricsResourceLabels { + if in == nil { + return nil + } + out := new(KubeStateMetricsResourceLabels) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Label) DeepCopyInto(out *Label) { *out = *in diff --git a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go index 0b364ee25c..44db6eb6a9 100644 --- a/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/config/v1alpha1/zz_generated.swagger_doc_generated.go @@ -106,14 +106,15 @@ func (AlertmanagerConfig) SwaggerDoc() map[string]string { } var map_AlertmanagerCustomConfig = map[string]string{ - "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled.", - "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", - "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", - "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", - "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", - "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", - "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", - "volumeClaimTemplate": "volumeClaimTemplate defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class and volume size. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts.", + "": "AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. alertmanagerCustomConfig provides configuration options for the default Alertmanager instance that runs in the `openshift-monitoring` namespace. Use this configuration to control whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, and how its pods are scheduled.", + "userAlertmanagerConfigSelection": "userAlertmanagerConfigSelection is an optional field that controls whether user-defined namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager instance in the `openshift-monitoring` namespace. Valid values are Selectable and None. When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in the cluster-monitoring-config ConfigMap. When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` in the cluster-monitoring-config ConfigMap. This setting only applies when the user-workload monitoring Alertmanager is not enabled. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default value is `None`.", + "logLevel": "logLevel defines the verbosity of logs emitted by Alertmanager. This field allows users to control the amount and severity of logs generated, which can be useful for debugging issues or reducing noise in production environments. Allowed values are Error, Warn, Info, and Debug. When set to Error, only errors will be logged. When set to Warn, both warnings and errors will be logged. When set to Info, general information, warnings, and errors will all be logged. When set to Debug, detailed debugging information will be logged. When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. The current default value is `Info`.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`.", + "resources": "resources defines the compute resource requests and limits for the Alertmanager container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "secrets": "secrets defines a list of secrets that need to be mounted into the Alertmanager. The secrets must reside within the same namespace as the Alertmanager object. They will be added as volumes named secret- and mounted at /etc/alertmanager/secrets/ within the 'alertmanager' container of the Alertmanager Pods.\n\nThese secrets can be used to authenticate Alertmanager with endpoint receivers. For example, you can use secrets to: - Provide certificates for TLS authentication with receivers that require private CA certificates - Store credentials for Basic HTTP authentication with receivers that require password-based auth - Store any other authentication credentials needed by your alert receivers\n\nThis field is optional. Maximum length for this list is 10. Minimum length for this list is 1. Entries in this list must be unique.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. Defaults are empty/unset. Maximum length for this list is 10. Minimum length for this list is 1.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how Alertmanager Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nWhen omitted, this means no opinion and the platform is left to choose a default, which is subject to change over time. This field maps directly to the `topologySpreadConstraints` field in the Pod spec. Default is empty list. Maximum length for this list is 10. Minimum length for this list is 1. Entries must have unique topologyKey and whenUnsatisfiable pairs.", + "volumeClaimTemplate": "volumeClaimTemplate defines persistent storage for Alertmanager. Use this setting to configure the persistent volume claim, including storage class and volume size. If omitted, the Pod uses ephemeral storage and alert data will not persist across restarts.", } func (AlertmanagerCustomConfig) SwaggerDoc() map[string]string { @@ -183,6 +184,7 @@ var map_ClusterMonitoringSpec = map[string]string{ "thanosQuerierConfig": "thanosQuerierConfig is an optional field that can be used to configure the Thanos Querier component that runs in the openshift-monitoring namespace. The Thanos Querier provides a global query view by aggregating and deduplicating metrics from multiple Prometheus instances. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default deploys the Thanos Querier on linux nodes with 5m CPU and 12Mi memory requests, and no custom tolerations or topology spread constraints. When set, at least one field must be specified within thanosQuerierConfig.", "nodeExporterConfig": "nodeExporterConfig is an optional field that can be used to configure the node-exporter agent that runs as a DaemonSet in the openshift-monitoring namespace. The node-exporter agent collects hardware and OS-level metrics from every node in the cluster. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", "monitoringPluginConfig": "monitoringPluginConfig is an optional field that can be used to configure the monitoring plugin that runs as a dynamic plugin of the OpenShift web console. The monitoring plugin provides the monitoring UI in the OpenShift web console for visualizing metrics, alerts, and dashboards. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. The current default deploys the monitoring-plugin as a single-replica Deployment on linux nodes with 10m CPU and 50Mi memory requests, and no custom tolerations or topology spread constraints. When set, at least one field must be specified within monitoringPluginConfig.", + "kubeStateMetricsConfig": "kubeStateMetricsConfig is an optional field that can be used to configure the kube-state-metrics agent that runs in the openshift-monitoring namespace. kube-state-metrics generates metrics about the state of Kubernetes objects such as Deployments, Nodes, and Pods. When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time.", } func (ClusterMonitoringSpec) SwaggerDoc() map[string]string { @@ -236,6 +238,29 @@ func (KeepEqualActionConfig) SwaggerDoc() map[string]string { return map_KeepEqualActionConfig } +var map_KubeStateMetricsConfig = map[string]string{ + "": "KubeStateMetricsConfig provides configuration options for the kube-state-metrics agent that runs in the `openshift-monitoring` namespace. kube-state-metrics generates metrics about the state of Kubernetes objects such as Deployments, Nodes, and Pods.", + "nodeSelector": "nodeSelector defines the nodes on which the Pods are scheduled. nodeSelector is optional.\n\nWhen omitted, this means the user has no opinion and the platform is left to choose reasonable defaults. These defaults are subject to change over time. The current default value is `kubernetes.io/os: linux`. When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries.", + "resources": "resources defines the compute resource requests and limits for the kube-state-metrics container. This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. When not specified, defaults are used by the platform. Requests cannot exceed limits. This field is optional. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ This is a simplified API that maps to Kubernetes ResourceRequirements. The current default values are:\n resources:\n - name: cpu\n request: 4m\n limit: null\n - name: memory\n request: 40Mi\n limit: null\nMaximum length for this list is 5. Minimum length for this list is 1. Each resource name must be unique within this list.", + "tolerations": "tolerations defines tolerations for the pods. tolerations is optional.\n\nWhen omitted, no tolerations are applied. This default is subject to change over time. When specified, tolerations must contain at least 1 entry and must not contain more than 10 entries. Each toleration's operator, when specified, must be either \"Exists\" or \"Equal\". Each toleration's effect, when specified, must be one of \"NoSchedule\", \"PreferNoSchedule\", or \"NoExecute\". An empty or unset effect means match all effects.", + "topologySpreadConstraints": "topologySpreadConstraints defines rules for how kube-state-metrics Pods should be distributed across topology domains such as zones, nodes, or other user-defined labels. topologySpreadConstraints is optional. This helps improve high availability and resource efficiency by avoiding placing too many replicas in the same failure domain.\n\nThis field maps directly to the `topologySpreadConstraints` field in the Pod spec. When omitted, no topology spread constraints are applied. This default is subject to change over time. When specified, topologySpreadConstraints must contain at least 1 entry and must not contain more than 10 entries. Entries must have unique topologyKey and whenUnsatisfiable pairs. Each entry's whenUnsatisfiable must be either \"DoNotSchedule\" or \"ScheduleAnyway\". Each entry's maxSkew must be at least 1. When minDomains is specified, it must be at least 1 and whenUnsatisfiable must be \"DoNotSchedule\".", + "additionalResourceLabels": "additionalResourceLabels defines additional Kubernetes resource labels to expose as metrics in kube-state-metrics. Currently, only \"Job\" and \"CronJob\" resources are supported due to cardinality concerns. Each entry specifies a resource name and a list of Kubernetes label names to expose. Use \"*\" in the labels list to expose all labels for a given resource. additionalResourceLabels is optional. When omitted, no additional Kubernetes object labels are exposed as metrics by kube-state-metrics beyond its built-in metric labels (e.g. namespace, job_name). Use this field to opt in to exposing specific Kubernetes labels as metric labels for the supported resource types. Minimum length for this list is 1. Maximum length for this list is 2. Each resource name must be unique within this list.", +} + +func (KubeStateMetricsConfig) SwaggerDoc() map[string]string { + return map_KubeStateMetricsConfig +} + +var map_KubeStateMetricsResourceLabels = map[string]string{ + "": "KubeStateMetricsResourceLabels defines which Kubernetes labels to expose as metrics for a given resource type in kube-state-metrics.", + "resource": "resource is the Kubernetes resource name whose labels should be exposed as metrics. Currently, only \"Job\" and \"CronJob\" are supported due to cardinality concerns. Valid values are \"Job\" and \"CronJob\". This field is required.", + "labels": "labels is the list of Kubernetes label names to expose as metrics for this resource. Use \"*\" to expose all labels for the specified resource. When \"*\" is specified, it must be the only entry in the list; mixing \"*\" with specific label names is not allowed. This field is required. Each label name must be unique within this list. Minimum length for this list is 1. Maximum length for this list is 50.", +} + +func (KubeStateMetricsResourceLabels) SwaggerDoc() map[string]string { + return map_KubeStateMetricsResourceLabels +} + var map_Label = map[string]string{ "": "Label represents a key/value pair for external labels.", "key": "key is the name of the label. Prometheus supports UTF-8 label names, so any valid UTF-8 string is allowed. Must be between 1 and 128 characters in length.", diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/register.go b/vendor/github.com/openshift/api/machineconfiguration/v1/register.go index d0a88324f7..d52f6480e8 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/register.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/register.go @@ -38,6 +38,8 @@ func addKnownTypes(scheme *runtime.Scheme) error { &MachineOSConfigList{}, &MachineOSBuild{}, &MachineOSBuildList{}, + &OSImageStream{}, + &OSImageStreamList{}, &PinnedImageSet{}, &PinnedImageSetList{}, &MachineConfigNode{}, diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types.go index 21615ee9aa..33c12be923 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/types.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types.go @@ -811,10 +811,17 @@ type KubeletConfigCondition struct { type KubeletConfigStatusConditionType string const ( + // KubeletConfigAccepted designates whether a KubeletConfig CR has been accepted. + // When the condition status is True, the KubeletConfig has been accepted successfully. + // When the condition status is False, the KubeletConfig has not been accepted. + KubeletConfigAccepted KubeletConfigStatusConditionType = "Accepted" + // KubeletConfigSuccess designates a successful application of a KubeletConfig CR. + // Deprecated: Use KubeletConfigAccepted instead. KubeletConfigSuccess will be removed in a future release. KubeletConfigSuccess KubeletConfigStatusConditionType = "Success" // KubeletConfigFailure designates a failure applying a KubeletConfig CR. + // Deprecated: Use KubeletConfigAccepted with status False instead. KubeletConfigFailure will be removed in a future release. KubeletConfigFailure KubeletConfigStatusConditionType = "Failure" ) diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/types_osimagestream.go b/vendor/github.com/openshift/api/machineconfiguration/v1/types_osimagestream.go new file mode 100644 index 0000000000..162bd98aac --- /dev/null +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/types_osimagestream.go @@ -0,0 +1,162 @@ +package v1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +genclient +// +genclient:nonNamespaced +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// OSImageStream describes a set of streams and associated images available +// for the MachineConfigPools to be used as base OS images. +// +// The resource is a singleton named "cluster". +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +// +kubebuilder:object:root=true +// +kubebuilder:resource:path=osimagestreams,scope=Cluster +// +kubebuilder:subresource:status +// +openshift:api-approved.openshift.io=https://github.com/openshift/api/pull/2555 +// +openshift:file-pattern=cvoRunLevel=0000_80,operatorName=machine-config,operatorOrdering=01 +// +openshift:enable:FeatureGate=OSStreams +// +kubebuilder:metadata:labels=openshift.io/operator-managed= +// +kubebuilder:validation:XValidation:rule="self.metadata.name == 'cluster'",message="osimagestream is a singleton, .metadata.name must be 'cluster'" +// +kubebuilder:validation:XValidation:rule="self.spec == oldSelf.spec || !has(self.status) || self.spec.defaultStream in self.status.availableStreams.map(s, s.name)",message="spec.defaultStream must reference an existing stream name from status.availableStreams" +type OSImageStream struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard object's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + // +optional + metav1.ObjectMeta `json:"metadata,omitempty"` + + // spec contains the desired OSImageStream config configuration. + // +required + Spec OSImageStreamSpec `json:"spec,omitzero,omitempty"` + + // status describes the last observed state of this OSImageStream. + // Populated by the MachineConfigOperator after reading release metadata. + // When not present, the controller has not yet reconciled this resource. + // +optional + Status OSImageStreamStatus `json:"status,omitempty,omitzero"` +} + +// OSImageStreamStatus describes the current state of a OSImageStream +// +kubebuilder:validation:XValidation:rule="self.defaultStream in self.availableStreams.map(s, s.name)",message="defaultStream must reference a stream name from availableStreams" +type OSImageStreamStatus struct { + + // availableStreams is a list of the available OS Image Streams that can be + // used as the base image for MachineConfigPools. + // availableStreams is required, must have at least one item, must not exceed + // 100 items, and must have unique entries keyed on the name field. + // + // +required + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=100 + // +listType=map + // +listMapKey=name + AvailableStreams []OSImageStreamSet `json:"availableStreams,omitempty"` + + // defaultStream is the name of the stream that should be used as the default + // when no specific stream is requested by a MachineConfigPool. + // + // It must be a valid RFC 1123 subdomain between 1 and 253 characters in length, + // consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'), + // and must reference the name of one of the streams in availableStreams. + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + DefaultStream string `json:"defaultStream,omitempty"` +} + +// OSImageStreamSpec defines the desired state of a OSImageStream. +type OSImageStreamSpec struct { + // defaultStream is the desired name of the stream that should be used as the + // default when no specific stream is requested by a MachineConfigPool. + // + // This field is set by the installer during installation. Users may need to + // update it if the currently selected stream is no longer available, for + // example when the stream has reached its End of Life. + // The MachineConfigOperator uses this value to determine which stream from + // status.availableStreams to apply as the default for MachineConfigPools + // that do not specify a stream override. + // + // When status.availableStreams has been populated by the operator, updating + // this field requires that the new value references the name of one of the + // streams in status.availableStreams. Status-only updates by the operator + // are not subject to this constraint, allowing the operator to update + // availableStreams independently of this field. + // During initial creation, before the operator has populated status, any + // valid value is accepted. + // + // For upgrade scenarios where the source OCP version doesn't have this CRD + // the MCO creates and populates the OSImageStream cluster singleton setting + // this field with the proper value based on the source OCP version. + // + // It must be a valid RFC 1123 subdomain between 1 and 253 characters in length, + // consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'). + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + DefaultStream string `json:"defaultStream,omitempty"` +} + +type OSImageStreamSet struct { + // name is the required identifier of the stream. + // + // name is determined by the operator based on the OCI label of the + // discovered OS or Extension Image. + // + // Must be a valid RFC 1123 subdomain between 1 and 253 characters in length, + // consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'). + // + // +required + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=253 + // +kubebuilder:validation:XValidation:rule="!format.dns1123Subdomain().validate(self).hasValue()",message="a RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character." + Name string `json:"name,omitempty"` + + // osImage is a required OS Image referenced by digest. + // + // osImage contains the immutable, fundamental operating system components, including the kernel + // and base utilities, that define the core environment for the node's host operating system. + // + // The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. + // +required + OSImage ImageDigestFormat `json:"osImage,omitempty"` + + // osExtensionsImage is a required OS Extensions Image referenced by digest. + // + // osExtensionsImage bundles the extra repositories used to enable extensions, augmenting + // the base operating system without modifying the underlying immutable osImage. + // + // The format of the image pull spec is: host[:port][/namespace]/name@sha256:, + // where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. + // The length of the whole spec must be between 1 to 447 characters. + // +required + OSExtensionsImage ImageDigestFormat `json:"osExtensionsImage,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// OSImageStreamList is a list of OSImageStream resources +// +// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). +// +openshift:compatibility-gen:level=1 +type OSImageStreamList struct { + metav1.TypeMeta `json:",inline"` + + // metadata is the standard list's metadata. + // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata + metav1.ListMeta `json:"metadata"` + + Items []OSImageStream `json:"items"` +} diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go index a42a2f36ed..9b738f8622 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.deepcopy.go @@ -1553,6 +1553,67 @@ func (in *NetworkInfo) DeepCopy() *NetworkInfo { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OSImageStream) DeepCopyInto(out *OSImageStream) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) + out.Spec = in.Spec + in.Status.DeepCopyInto(&out.Status) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OSImageStream. +func (in *OSImageStream) DeepCopy() *OSImageStream { + if in == nil { + return nil + } + out := new(OSImageStream) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OSImageStream) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OSImageStreamList) DeepCopyInto(out *OSImageStreamList) { + *out = *in + out.TypeMeta = in.TypeMeta + in.ListMeta.DeepCopyInto(&out.ListMeta) + if in.Items != nil { + in, out := &in.Items, &out.Items + *out = make([]OSImageStream, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OSImageStreamList. +func (in *OSImageStreamList) DeepCopy() *OSImageStreamList { + if in == nil { + return nil + } + out := new(OSImageStreamList) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *OSImageStreamList) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *OSImageStreamReference) DeepCopyInto(out *OSImageStreamReference) { *out = *in @@ -1569,6 +1630,59 @@ func (in *OSImageStreamReference) DeepCopy() *OSImageStreamReference { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OSImageStreamSet) DeepCopyInto(out *OSImageStreamSet) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OSImageStreamSet. +func (in *OSImageStreamSet) DeepCopy() *OSImageStreamSet { + if in == nil { + return nil + } + out := new(OSImageStreamSet) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OSImageStreamSpec) DeepCopyInto(out *OSImageStreamSpec) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OSImageStreamSpec. +func (in *OSImageStreamSpec) DeepCopy() *OSImageStreamSpec { + if in == nil { + return nil + } + out := new(OSImageStreamSpec) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *OSImageStreamStatus) DeepCopyInto(out *OSImageStreamStatus) { + *out = *in + if in.AvailableStreams != nil { + in, out := &in.AvailableStreams, &out.AvailableStreams + *out = make([]OSImageStreamSet, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OSImageStreamStatus. +func (in *OSImageStreamStatus) DeepCopy() *OSImageStreamStatus { + if in == nil { + return nil + } + out := new(OSImageStreamStatus) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ObjectReference) DeepCopyInto(out *ObjectReference) { *out = *in diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml index c5d566e19a..68186d1d31 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.featuregated-crd-manifests.yaml @@ -62,7 +62,8 @@ kubeletconfigs.machineconfiguration.openshift.io: CRDName: kubeletconfigs.machineconfiguration.openshift.io Capability: "" Category: "" - FeatureGates: [] + FeatureGates: + - TLSGroupPreferences FilenameOperatorName: machine-config FilenameOperatorOrdering: "01" FilenameRunLevel: "0000_80" @@ -317,6 +318,30 @@ machineosconfigs.machineconfiguration.openshift.io: TopLevelFeatureGates: [] Version: v1 +osimagestreams.machineconfiguration.openshift.io: + Annotations: {} + ApprovedPRNumber: https://github.com/openshift/api/pull/2555 + CRDName: osimagestreams.machineconfiguration.openshift.io + Capability: "" + Category: "" + FeatureGates: + - OSStreams + FilenameOperatorName: machine-config + FilenameOperatorOrdering: "01" + FilenameRunLevel: "0000_80" + GroupName: machineconfiguration.openshift.io + HasStatus: true + KindName: OSImageStream + Labels: + openshift.io/operator-managed: "" + PluralName: osimagestreams + PrinterColumns: [] + Scope: Cluster + ShortNames: null + TopLevelFeatureGates: + - OSStreams + Version: v1 + pinnedimagesets.machineconfiguration.openshift.io: Annotations: {} ApprovedPRNumber: https://github.com/openshift/api/pull/2198 diff --git a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go index 0bf471c479..7369c02db0 100644 --- a/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/machineconfiguration/v1/zz_generated.swagger_doc_generated.go @@ -717,6 +717,55 @@ func (MachineOSImageBuilder) SwaggerDoc() map[string]string { return map_MachineOSImageBuilder } +var map_OSImageStream = map[string]string{ + "": "OSImageStream describes a set of streams and associated images available for the MachineConfigPools to be used as base OS images.\n\nThe resource is a singleton named \"cluster\".\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", + "spec": "spec contains the desired OSImageStream config configuration.", + "status": "status describes the last observed state of this OSImageStream. Populated by the MachineConfigOperator after reading release metadata. When not present, the controller has not yet reconciled this resource.", +} + +func (OSImageStream) SwaggerDoc() map[string]string { + return map_OSImageStream +} + +var map_OSImageStreamList = map[string]string{ + "": "OSImageStreamList is a list of OSImageStream resources\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).", + "metadata": "metadata is the standard list's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata", +} + +func (OSImageStreamList) SwaggerDoc() map[string]string { + return map_OSImageStreamList +} + +var map_OSImageStreamSet = map[string]string{ + "name": "name is the required identifier of the stream.\n\nname is determined by the operator based on the OCI label of the discovered OS or Extension Image.\n\nMust be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", + "osImage": "osImage is a required OS Image referenced by digest.\n\nosImage contains the immutable, fundamental operating system components, including the kernel and base utilities, that define the core environment for the node's host operating system.\n\nThe format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", + "osExtensionsImage": "osExtensionsImage is a required OS Extensions Image referenced by digest.\n\nosExtensionsImage bundles the extra repositories used to enable extensions, augmenting the base operating system without modifying the underlying immutable osImage.\n\nThe format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", +} + +func (OSImageStreamSet) SwaggerDoc() map[string]string { + return map_OSImageStreamSet +} + +var map_OSImageStreamSpec = map[string]string{ + "": "OSImageStreamSpec defines the desired state of a OSImageStream.", + "defaultStream": "defaultStream is the desired name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nThis field is set by the installer during installation. Users may need to update it if the currently selected stream is no longer available, for example when the stream has reached its End of Life. The MachineConfigOperator uses this value to determine which stream from status.availableStreams to apply as the default for MachineConfigPools that do not specify a stream override.\n\nWhen status.availableStreams has been populated by the operator, updating this field requires that the new value references the name of one of the streams in status.availableStreams. Status-only updates by the operator are not subject to this constraint, allowing the operator to update availableStreams independently of this field. During initial creation, before the operator has populated status, any valid value is accepted.\n\nFor upgrade scenarios where the source OCP version doesn't have this CRD the MCO creates and populates the OSImageStream cluster singleton setting this field with the proper value based on the source OCP version.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.').", +} + +func (OSImageStreamSpec) SwaggerDoc() map[string]string { + return map_OSImageStreamSpec +} + +var map_OSImageStreamStatus = map[string]string{ + "": "OSImageStreamStatus describes the current state of a OSImageStream", + "availableStreams": "availableStreams is a list of the available OS Image Streams that can be used as the base image for MachineConfigPools. availableStreams is required, must have at least one item, must not exceed 100 items, and must have unique entries keyed on the name field.", + "defaultStream": "defaultStream is the name of the stream that should be used as the default when no specific stream is requested by a MachineConfigPool.\n\nIt must be a valid RFC 1123 subdomain between 1 and 253 characters in length, consisting of lowercase alphanumeric characters, hyphens ('-'), and periods ('.'), and must reference the name of one of the streams in availableStreams.", +} + +func (OSImageStreamStatus) SwaggerDoc() map[string]string { + return map_OSImageStreamStatus +} + var map_PinnedImageRef = map[string]string{ "": "PinnedImageRef represents a reference to an OCI image", "name": "name is an OCI Image referenced by digest. The format of the image pull spec is: host[:port][/namespace]/name@sha256:, where the digest must be 64 characters long, and consist only of lowercase hexadecimal characters, a-f and 0-9. The length of the whole spec must be between 1 to 447 characters.", diff --git a/vendor/github.com/openshift/api/operator/v1/types_etcd.go b/vendor/github.com/openshift/api/operator/v1/types_etcd.go index 252f3b3990..f2f1131036 100644 --- a/vendor/github.com/openshift/api/operator/v1/types_etcd.go +++ b/vendor/github.com/openshift/api/operator/v1/types_etcd.go @@ -42,11 +42,11 @@ type EtcdSpec struct { HardwareSpeed ControlPlaneHardwareSpeed `json:"controlPlaneHardwareSpeed"` // backendQuotaGiB sets the etcd backend storage size limit in gibibytes. - // The value should be an integer not less than 8 and not more than 32. + // The value should be an integer not less than 8 and not more than 16. // When not specified, the default value is 8. // +kubebuilder:default:=8 // +kubebuilder:validation:Minimum=8 - // +kubebuilder:validation:Maximum=32 + // +kubebuilder:validation:Maximum=16 // +kubebuilder:validation:XValidation:rule="self>=oldSelf",message="etcd backendQuotaGiB may not be decreased" // +openshift:enable:FeatureGate=EtcdBackendQuota // +default=8 diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml index aaf0972908..29b4d13d02 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.featuregated-crd-manifests.yaml @@ -178,6 +178,7 @@ ingresscontrollers.operator.openshift.io: Category: "" FeatureGates: - IngressControllerDynamicConfigurationManager + - TLSGroupPreferences FilenameOperatorName: ingress FilenameOperatorOrdering: "00" FilenameRunLevel: "0000_50" diff --git a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go index c3ed726028..0b82b1ac66 100644 --- a/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go +++ b/vendor/github.com/openshift/api/operator/v1/zz_generated.swagger_doc_generated.go @@ -798,7 +798,7 @@ func (EtcdList) SwaggerDoc() map[string]string { var map_EtcdSpec = map[string]string{ "controlPlaneHardwareSpeed": "HardwareSpeed allows user to change the etcd tuning profile which configures the latency parameters for heartbeat interval and leader election timeouts allowing the cluster to tolerate longer round-trip-times between etcd members. Valid values are \"\", \"Standard\" and \"Slower\".\n\t\"\" means no opinion and the platform is left to choose a reasonable default\n\twhich is subject to change without notice.", - "backendQuotaGiB": "backendQuotaGiB sets the etcd backend storage size limit in gibibytes. The value should be an integer not less than 8 and not more than 32. When not specified, the default value is 8.", + "backendQuotaGiB": "backendQuotaGiB sets the etcd backend storage size limit in gibibytes. The value should be an integer not less than 8 and not more than 16. When not specified, the default value is 8.", } func (EtcdSpec) SwaggerDoc() map[string]string { diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go new file mode 100644 index 0000000000..c23f4d5307 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientcredentialconfig.go @@ -0,0 +1,98 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ClientCredentialConfigApplyConfiguration represents a declarative configuration of the ClientCredentialConfig type for use +// with apply. +// +// ClientCredentialConfig configures the client credentials and token endpoint +// to use to get an access token via the OAuth2 client credentials grant flow. +type ClientCredentialConfigApplyConfiguration struct { + // clientID is a required client identifier to use during the OAuth2 client credentials flow. + // clientID must be at least 1 character in length, must not exceed 256 characters in length, + // and must only contain printable ASCII characters. + ClientID *string `json:"clientID,omitempty"` + // clientSecret is a required reference to a Secret in the openshift-config namespace to be used + // as the client secret during the OAuth2 client credentials flow. + // + // The key 'client-secret' is used to locate the client secret data in the Secret. + ClientSecret *ClientSecretSecretReferenceApplyConfiguration `json:"clientSecret,omitempty"` + // tokenEndpoint is a required URL to query for an access token using + // the client credential OAuth2 flow. + // tokenEndpoint must be at least 1 character in length and must not exceed 2048 characters in length. + // tokenEndpoint must be a valid HTTPS URL. + // tokenEndpoint must have a host and a path. + // tokenEndpoint must not contain query parameters, fragments, + // or user information (e.g., "user:password@host"). + TokenEndpoint *string `json:"tokenEndpoint,omitempty"` + // scopes is an optional list of OAuth2 scopes to request when obtaining + // an access token. + // + // If not specified, the token endpoint's default scopes + // will be used. + // + // When specified, there must be at least 1 entry and must not exceed 16 entries. + // Each entry must be at least 1 character in length and must not exceed 256 characters in length. + // Each entry must only contain printable ASCII characters, excluding spaces, double quotes and backslashes. + // Entries must be unique. + Scopes []configv1.OAuth2Scope `json:"scopes,omitempty"` + // tls is an optional field that allows configuring the TLS + // settings used to interact with the identity provider + // as an OAuth2 client. + // + // When omitted, system default TLS settings will be used + // for the OAuth2 client. + TLS *ExternalSourceTLSApplyConfiguration `json:"tls,omitempty"` +} + +// ClientCredentialConfigApplyConfiguration constructs a declarative configuration of the ClientCredentialConfig type for use with +// apply. +func ClientCredentialConfig() *ClientCredentialConfigApplyConfiguration { + return &ClientCredentialConfigApplyConfiguration{} +} + +// WithClientID sets the ClientID field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientID field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithClientID(value string) *ClientCredentialConfigApplyConfiguration { + b.ClientID = &value + return b +} + +// WithClientSecret sets the ClientSecret field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientSecret field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithClientSecret(value *ClientSecretSecretReferenceApplyConfiguration) *ClientCredentialConfigApplyConfiguration { + b.ClientSecret = value + return b +} + +// WithTokenEndpoint sets the TokenEndpoint field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TokenEndpoint field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithTokenEndpoint(value string) *ClientCredentialConfigApplyConfiguration { + b.TokenEndpoint = &value + return b +} + +// WithScopes adds the given value to the Scopes field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Scopes field. +func (b *ClientCredentialConfigApplyConfiguration) WithScopes(values ...configv1.OAuth2Scope) *ClientCredentialConfigApplyConfiguration { + for i := range values { + b.Scopes = append(b.Scopes, values[i]) + } + return b +} + +// WithTLS sets the TLS field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TLS field is set to the value of the last call. +func (b *ClientCredentialConfigApplyConfiguration) WithTLS(value *ExternalSourceTLSApplyConfiguration) *ClientCredentialConfigApplyConfiguration { + b.TLS = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go new file mode 100644 index 0000000000..5b2a8fe03f --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/clientsecretsecretreference.go @@ -0,0 +1,32 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ClientSecretSecretReferenceApplyConfiguration represents a declarative configuration of the ClientSecretSecretReference type for use +// with apply. +// +// ClientSecretSecretReference is a reference to a Secret in the openshift-config +// namespace that should be used for configuring the client secret to be +// used when sourcing claims from external sources with the client credential authentication flow. +type ClientSecretSecretReferenceApplyConfiguration struct { + // name is the required name of the Secret that exists in the openshift-config namespace. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + Name *string `json:"name,omitempty"` +} + +// ClientSecretSecretReferenceApplyConfiguration constructs a declarative configuration of the ClientSecretSecretReference type for use with +// apply. +func ClientSecretSecretReference() *ClientSecretSecretReferenceApplyConfiguration { + return &ClientSecretSecretReferenceApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ClientSecretSecretReferenceApplyConfiguration) WithName(value string) *ClientSecretSecretReferenceApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go index 7df6a4be9e..7b682ef205 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/customtlsprofile.go @@ -31,6 +31,16 @@ func (b *CustomTLSProfileApplyConfiguration) WithCiphers(values ...string) *Cust return b } +// WithGroups adds the given value to the Groups field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Groups field. +func (b *CustomTLSProfileApplyConfiguration) WithGroups(values ...configv1.TLSGroup) *CustomTLSProfileApplyConfiguration { + for i := range values { + b.TLSProfileSpecApplyConfiguration.Groups = append(b.TLSProfileSpecApplyConfiguration.Groups, values[i]) + } + return b +} + // WithMinTLSVersion sets the MinTLSVersion field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the MinTLSVersion field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go new file mode 100644 index 0000000000..143544e7cd --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalclaimssource.go @@ -0,0 +1,97 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalClaimsSourceApplyConfiguration represents a declarative configuration of the ExternalClaimsSource type for use +// with apply. +// +// ExternalClaimsSource provides the configuration for a single external claim source. +type ExternalClaimsSourceApplyConfiguration struct { + // authentication is an optional field that configures how the apiserver authenticates with an external claims source. + // When not specified, anonymous authentication is used which means no 'Authorization' header + // is sent in the HTTP request to fetch the external claims. + Authentication *ExternalSourceAuthenticationApplyConfiguration `json:"authentication,omitempty"` + // tls is an optional field that configures the http client TLS + // settings when fetching external claims from this source. + // + // When omitted, system default TLS settings will be used + // for fetching claims from the external source. + TLS *ExternalSourceTLSApplyConfiguration `json:"tls,omitempty"` + // url is a required configuration of the URL + // for which the external claims are located. + URL *SourceURLApplyConfiguration `json:"url,omitempty"` + // mappings is a required list of the claim + // and response handling expression pairs + // that produces the claims from the external source. + // mappings must have at least 1 entry and must not exceed 16 entries. + // Entries must have a unique name across all external claim sources. + Mappings []SourcedClaimMappingApplyConfiguration `json:"mappings,omitempty"` + // predicates is an optional list of constraints in + // which claims should attempt to be fetched from this + // external source. + // + // When omitted, claims are always fetched + // from this external source. + // + // When specified, all predicates must evaluate to 'true' + // before claims are attempted to be fetched from this external source. + // predicates must have at least 1 entry and must not exceed 16 entries. + // Entries must have unique expressions. + Predicates []ExternalSourcePredicateApplyConfiguration `json:"predicates,omitempty"` +} + +// ExternalClaimsSourceApplyConfiguration constructs a declarative configuration of the ExternalClaimsSource type for use with +// apply. +func ExternalClaimsSource() *ExternalClaimsSourceApplyConfiguration { + return &ExternalClaimsSourceApplyConfiguration{} +} + +// WithAuthentication sets the Authentication field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Authentication field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithAuthentication(value *ExternalSourceAuthenticationApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.Authentication = value + return b +} + +// WithTLS sets the TLS field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the TLS field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithTLS(value *ExternalSourceTLSApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.TLS = value + return b +} + +// WithURL sets the URL field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the URL field is set to the value of the last call. +func (b *ExternalClaimsSourceApplyConfiguration) WithURL(value *SourceURLApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + b.URL = value + return b +} + +// WithMappings adds the given value to the Mappings field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Mappings field. +func (b *ExternalClaimsSourceApplyConfiguration) WithMappings(values ...*SourcedClaimMappingApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithMappings") + } + b.Mappings = append(b.Mappings, *values[i]) + } + return b +} + +// WithPredicates adds the given value to the Predicates field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Predicates field. +func (b *ExternalClaimsSourceApplyConfiguration) WithPredicates(values ...*ExternalSourcePredicateApplyConfiguration) *ExternalClaimsSourceApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithPredicates") + } + b.Predicates = append(b.Predicates, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go new file mode 100644 index 0000000000..a2deb822e3 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourceauthentication.go @@ -0,0 +1,57 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// ExternalSourceAuthenticationApplyConfiguration represents a declarative configuration of the ExternalSourceAuthentication type for use +// with apply. +// +// ExternalSourceAuthentication configures how the apiserver should attempt +// to authenticate with an external claims source. +type ExternalSourceAuthenticationApplyConfiguration struct { + // type is a required field that sets the type of + // authentication method used by the authenticator + // when fetching external claims. + // + // Allowed values are 'RequestProvidedToken' and 'ClientCredential'. + // + // When set to 'RequestProvidedToken', the authenticator will + // use the token provided to the kube-apiserver as part of the + // request to authenticate with the external claims source. + // + // When set to 'ClientCredential', the authenticator will + // use the configured client-id, client-secret, and token endpoint + // to fetch an access token using the OAuth2 client credentials grant + // flow. The fetched access token will then be used to authenticate + // with the external claims source. + Type *configv1.ExternalSourceAuthenticationType `json:"type,omitempty"` + // clientCredential configures the client credentials + // and token endpoint to use to get an access token. + // clientCredential is required when type is 'ClientCredential', and forbidden otherwise. + ClientCredential *ClientCredentialConfigApplyConfiguration `json:"clientCredential,omitempty"` +} + +// ExternalSourceAuthenticationApplyConfiguration constructs a declarative configuration of the ExternalSourceAuthentication type for use with +// apply. +func ExternalSourceAuthentication() *ExternalSourceAuthenticationApplyConfiguration { + return &ExternalSourceAuthenticationApplyConfiguration{} +} + +// WithType sets the Type field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Type field is set to the value of the last call. +func (b *ExternalSourceAuthenticationApplyConfiguration) WithType(value configv1.ExternalSourceAuthenticationType) *ExternalSourceAuthenticationApplyConfiguration { + b.Type = &value + return b +} + +// WithClientCredential sets the ClientCredential field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the ClientCredential field is set to the value of the last call. +func (b *ExternalSourceAuthenticationApplyConfiguration) WithClientCredential(value *ClientCredentialConfigApplyConfiguration) *ExternalSourceAuthenticationApplyConfiguration { + b.ClientCredential = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go new file mode 100644 index 0000000000..f1fb64e745 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcecertificateauthorityconfigmapreference.go @@ -0,0 +1,34 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration represents a declarative configuration of the ExternalSourceCertificateAuthorityConfigMapReference type for use +// with apply. +// +// ExternalSourceCertificateAuthorityConfigMapReference is a reference to a ConfigMap in the openshift-config +// namespace that should be used for configuring the certificate authority to be +// used when sourcing claims from external sources. +type ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration struct { + // name is the required name of the ConfigMap that exists in the openshift-config namespace. + // The key "ca-bundle.crt" must be present and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + // + // It must be at least 1 character in length, must not exceed 253 characters in length, + // must start and end with a lowercase alphanumeric character, and must only contain + // lowercase alphanumeric characters, '-' or '.'. + Name *string `json:"name,omitempty"` +} + +// ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration constructs a declarative configuration of the ExternalSourceCertificateAuthorityConfigMapReference type for use with +// apply. +func ExternalSourceCertificateAuthorityConfigMapReference() *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration { + return &ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration) WithName(value string) *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration { + b.Name = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go new file mode 100644 index 0000000000..ade172deeb --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcepredicate.go @@ -0,0 +1,43 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourcePredicateApplyConfiguration represents a declarative configuration of the ExternalSourcePredicate type for use +// with apply. +// +// ExternalSourcePredicate configures a singular condition +// that must return true before the external source is queried +// to retrieve external claims. +type ExternalSourcePredicateApplyConfiguration struct { + // expression is a required CEL expression that + // is used to determine whether or not an external + // source should be used to fetch external claims. + // + // The expression must return a boolean value, + // where true means that the source should be consulted + // and false means that it should not. + // + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // + // The contents of the `claims` variable varies based on the claims that are + // present in the token being validated. It is the responsibility of those configuring this + // field to understand what claims the identity provider includes when issuing tokens. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + Expression *string `json:"expression,omitempty"` +} + +// ExternalSourcePredicateApplyConfiguration constructs a declarative configuration of the ExternalSourcePredicate type for use with +// apply. +func ExternalSourcePredicate() *ExternalSourcePredicateApplyConfiguration { + return &ExternalSourcePredicateApplyConfiguration{} +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *ExternalSourcePredicateApplyConfiguration) WithExpression(value string) *ExternalSourcePredicateApplyConfiguration { + b.Expression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go new file mode 100644 index 0000000000..a0b84ad6d5 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/externalsourcetls.go @@ -0,0 +1,30 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// ExternalSourceTLSApplyConfiguration represents a declarative configuration of the ExternalSourceTLS type for use +// with apply. +// +// ExternalSourceTLS configures the TLS options that the apiserver uses as a client +// when making a request to the external claim source. +type ExternalSourceTLSApplyConfiguration struct { + // certificateAuthority is a required reference to a ConfigMap in the openshift-config + // namespace that contains the CA certificate to use to validate TLS connections with the external claims source. + // The key "ca-bundle.crt" must be present in the referenced ConfigMap and must contain the CA certificate to be used + // to verify the external source's TLS certificate. + CertificateAuthority *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration `json:"certificateAuthority,omitempty"` +} + +// ExternalSourceTLSApplyConfiguration constructs a declarative configuration of the ExternalSourceTLS type for use with +// apply. +func ExternalSourceTLS() *ExternalSourceTLSApplyConfiguration { + return &ExternalSourceTLSApplyConfiguration{} +} + +// WithCertificateAuthority sets the CertificateAuthority field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CertificateAuthority field is set to the value of the last call. +func (b *ExternalSourceTLSApplyConfiguration) WithCertificateAuthority(value *ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration) *ExternalSourceTLSApplyConfiguration { + b.CertificateAuthority = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go new file mode 100644 index 0000000000..1ccd980764 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkobservabilityspec.go @@ -0,0 +1,33 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +import ( + configv1 "github.com/openshift/api/config/v1" +) + +// NetworkObservabilitySpecApplyConfiguration represents a declarative configuration of the NetworkObservabilitySpec type for use +// with apply. +// +// NetworkObservabilitySpec defines the configuration for network observability installation +type NetworkObservabilitySpecApplyConfiguration struct { + // installationPolicy controls whether network observability is installed during cluster deployment. + // Valid values are "InstallAndEnable" and "NoAction". + // When set to "InstallAndEnable", ensure that network observability will be installed and enabled on the cluster. If already installed, no action taken, but if it gets uninstalled, it will install it again. + // When set to "NoAction", nothing will be done regarding Network observability. + InstallationPolicy *configv1.NetworkObservabilityInstallationPolicy `json:"installationPolicy,omitempty"` +} + +// NetworkObservabilitySpecApplyConfiguration constructs a declarative configuration of the NetworkObservabilitySpec type for use with +// apply. +func NetworkObservabilitySpec() *NetworkObservabilitySpecApplyConfiguration { + return &NetworkObservabilitySpecApplyConfiguration{} +} + +// WithInstallationPolicy sets the InstallationPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the InstallationPolicy field is set to the value of the last call. +func (b *NetworkObservabilitySpecApplyConfiguration) WithInstallationPolicy(value configv1.NetworkObservabilityInstallationPolicy) *NetworkObservabilitySpecApplyConfiguration { + b.InstallationPolicy = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go index 4a3f9b7b89..27e7480ecf 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/networkspec.go @@ -42,6 +42,10 @@ type NetworkSpecApplyConfiguration struct { // and the spec.disableNetworkDiagnostics flag in network.operator.openshift.io is set to true, // the network diagnostics feature will be disabled. NetworkDiagnostics *NetworkDiagnosticsApplyConfiguration `json:"networkDiagnostics,omitempty"` + // networkObservability is an optional field that configures network observability installation + // during cluster deployment (day-0). + // When omitted, unless this is a SNO cluster, network observability will be installed if not already present, after that, no action taken. + NetworkObservability *NetworkObservabilitySpecApplyConfiguration `json:"networkObservability,omitempty"` } // NetworkSpecApplyConfiguration constructs a declarative configuration of the NetworkSpec type for use with @@ -104,3 +108,11 @@ func (b *NetworkSpecApplyConfiguration) WithNetworkDiagnostics(value *NetworkDia b.NetworkDiagnostics = value return b } + +// WithNetworkObservability sets the NetworkObservability field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the NetworkObservability field is set to the value of the last call. +func (b *NetworkSpecApplyConfiguration) WithNetworkObservability(value *NetworkObservabilitySpecApplyConfiguration) *NetworkSpecApplyConfiguration { + b.NetworkObservability = value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go index 6f5a249a70..4fb1c97ebc 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/oidcprovider.go @@ -26,6 +26,27 @@ type OIDCProviderApplyConfiguration struct { // If any rule in the chain of rules evaluates to 'false', authentication will fail. // When specified, at least one rule must be specified and no more than 64 rules may be specified. UserValidationRules []TokenUserValidationRuleApplyConfiguration `json:"userValidationRules,omitempty"` + // externalClaimsSources is an optional field that can be used to configure + // sources, external to the token provided in a request, in which claims + // should be fetched from and made available to the claim mapping process + // that is used to build the identity of a token holder. + // + // For example, fetching additional user metadata from an OIDC provider's UserInfo endpoint. + // + // When not specified, only claims present in the token itself will be available + // in the claim mapping process. + // + // When specified, at least one external claim source must be specified and no more than 5 + // sources may be specified. + // All external claim sources must have unique claim mappings. + // When an external source responds and resolves additional claims successfully, they will + // be made available as claims during the claim mapping process. + // Externally sourced claims with the same name as a claim existing within the token will + // overwrite the claim data from the token with the externally sourced information. + // If an external source does not respond, responds with an error, or the additional + // claim data cannot be resolved from the response successfully it will not be + // included in the claim data passed to the claim mapping process. + ExternalClaimsSources []ExternalClaimsSourceApplyConfiguration `json:"externalClaimsSources,omitempty"` } // OIDCProviderApplyConfiguration constructs a declarative configuration of the OIDCProvider type for use with @@ -96,3 +117,16 @@ func (b *OIDCProviderApplyConfiguration) WithUserValidationRules(values ...*Toke } return b } + +// WithExternalClaimsSources adds the given value to the ExternalClaimsSources field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the ExternalClaimsSources field. +func (b *OIDCProviderApplyConfiguration) WithExternalClaimsSources(values ...*ExternalClaimsSourceApplyConfiguration) *OIDCProviderApplyConfiguration { + for i := range values { + if values[i] == nil { + panic("nil value passed to WithExternalClaimsSources") + } + b.ExternalClaimsSources = append(b.ExternalClaimsSources, *values[i]) + } + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go new file mode 100644 index 0000000000..92c4dc24f7 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourcedclaimmapping.go @@ -0,0 +1,51 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// SourcedClaimMappingApplyConfiguration represents a declarative configuration of the SourcedClaimMapping type for use +// with apply. +// +// SourcedClaimMapping configures the mapping behavior for a single external claim +// from the response the apiserver received from the external claim source. +type SourcedClaimMappingApplyConfiguration struct { + // name is a required name of the claim that + // will be produced and made available during + // the claim-to-identity mapping process. + // name must consist of only lowercase alpha characters and underscores ('_'). + // name must be at least 1 character and must not exceed 256 characters in length. + Name *string `json:"name,omitempty"` + // expression is a required CEL expression that + // will produce a value to be assigned to the claim. + // The full response body from the request to the + // external claim source is provided via the + // `response.body` variable. + // + // The contents of the `response.body` variable varies based on the response received + // from the external source. It is the responsibility of those configuring + // this expression to understand what is returned from the external source. + // + // expression must be at least 1 character and must not exceed 1024 characters in length. + Expression *string `json:"expression,omitempty"` +} + +// SourcedClaimMappingApplyConfiguration constructs a declarative configuration of the SourcedClaimMapping type for use with +// apply. +func SourcedClaimMapping() *SourcedClaimMappingApplyConfiguration { + return &SourcedClaimMappingApplyConfiguration{} +} + +// WithName sets the Name field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Name field is set to the value of the last call. +func (b *SourcedClaimMappingApplyConfiguration) WithName(value string) *SourcedClaimMappingApplyConfiguration { + b.Name = &value + return b +} + +// WithExpression sets the Expression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Expression field is set to the value of the last call. +func (b *SourcedClaimMappingApplyConfiguration) WithExpression(value string) *SourcedClaimMappingApplyConfiguration { + b.Expression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go new file mode 100644 index 0000000000..b94a89f39c --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/sourceurl.go @@ -0,0 +1,67 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1 + +// SourceURLApplyConfiguration represents a declarative configuration of the SourceURL type for use +// with apply. +// +// SourceURL configures the options used to build the URL that is queried for external claims. +type SourceURLApplyConfiguration struct { + // hostname is a required hostname for which the external claims are located. + // + // It must be a valid DNS subdomain name as per RFC1123. + // + // This means that it must start and end with a lowercase alphanumeric character, + // must only consist of lowercase alphanumeric characters, '-', and '.'. + // hostname may optionally specify a port in the format ':{port}'. + // If a port is specified it must not exceed 65535. + // + // hostname must be at least 1 character in length. + // When specifying a port, hostname must not exceed 259 characters in length. + // When not specifying a port, hostname must not exceed 253 characters in length. + Hostname *string `json:"hostname,omitempty"` + // pathExpression is a required CEL expression that returns a list + // of string values used to construct the URL path. + // Claims from the token used for the request to the kube-apiserver + // are made available via the `claims` variable. + // expression must be at least 1 character in length and must not exceed 1024 characters in length. + // + // Values in the returned list will be joined with the hostname using a forward slash + // (`/`) as a separator. Values in the returned list do not need to include the forward slash. + // If a forward slash is included in a returned value, it will be encoded as `%2F`. + // + // Example of a static path configuration: + // + // pathExpression: ['realms', 'k8s', 'protocol', 'openid-connect', 'userinfo'] + // + // The above example would resolve to the path: '/realms/k8s/protocol/openid-connect/userinfo' + // + // Example of a dynamic path configuration: + // + // pathExpression: "['admin', 'realms', 'k8s', 'users'] + [claims.sub] + ['groups']" + // + // Assuming 'claims.sub' is set to '12345', the above example would resolve to the path: '/admin/realms/k8s/users/12345/groups' + PathExpression *string `json:"pathExpression,omitempty"` +} + +// SourceURLApplyConfiguration constructs a declarative configuration of the SourceURL type for use with +// apply. +func SourceURL() *SourceURLApplyConfiguration { + return &SourceURLApplyConfiguration{} +} + +// WithHostname sets the Hostname field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Hostname field is set to the value of the last call. +func (b *SourceURLApplyConfiguration) WithHostname(value string) *SourceURLApplyConfiguration { + b.Hostname = &value + return b +} + +// WithPathExpression sets the PathExpression field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the PathExpression field is set to the value of the last call. +func (b *SourceURLApplyConfiguration) WithPathExpression(value string) *SourceURLApplyConfiguration { + b.PathExpression = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go index 5e34ffd5db..cbefaf5169 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlsprofilespec.go @@ -21,6 +21,24 @@ type TLSProfileSpecApplyConfiguration struct { // TLS 1.3 cipher suites (e.g. TLS_AES_128_GCM_SHA256) are not configurable // and are always enabled when TLS 1.3 is negotiated. Ciphers []string `json:"ciphers,omitempty"` + // groups is an optional, ordered field used to specify the supported groups (formerly known as + // elliptic curves) that are used during the TLS handshake. The order of the groups represents + // a suggested preference, with the most preferred group first. Note that not all platform + // components honor the ordering: Go-based components use Go's internal preference order and + // treat this list as a filter of allowed groups rather than an ordered preference. + // Operators may remove entries their operands do not support. + // + // When omitted, this means no opinion and the platform is left to choose reasonable defaults which are + // subject to change over time and may be different per platform component depending on the underlying TLS + // libraries they use. If specified, the list must contain at least one and at most 7 groups, + // and each group must be unique. + // + // For example, to use X25519 and secp256r1 (yaml): + // + // groups: + // - X25519 + // - secp256r1 + Groups []configv1.TLSGroup `json:"groups,omitempty"` // minTLSVersion is used to specify the minimal version of the TLS protocol // that is negotiated during the TLS handshake. For example, to use TLS // versions 1.1, 1.2 and 1.3 (yaml): @@ -45,6 +63,16 @@ func (b *TLSProfileSpecApplyConfiguration) WithCiphers(values ...string) *TLSPro return b } +// WithGroups adds the given value to the Groups field in the declarative configuration +// and returns the receiver, so that objects can be build by chaining "With" function invocations. +// If called multiple times, values provided by each call will be appended to the Groups field. +func (b *TLSProfileSpecApplyConfiguration) WithGroups(values ...configv1.TLSGroup) *TLSProfileSpecApplyConfiguration { + for i := range values { + b.Groups = append(b.Groups, values[i]) + } + return b +} + // WithMinTLSVersion sets the MinTLSVersion field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the MinTLSVersion field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go index dd57aad086..eab7cd4525 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/tlssecurityprofile.go @@ -15,10 +15,16 @@ type TLSSecurityProfileApplyConfiguration struct { // type is one of Old, Intermediate, Modern or Custom. Custom provides the // ability to specify individual TLS security profile parameters. // - // The profiles are based on version 5.7 of the Mozilla Server Side TLS - // configuration guidelines. The cipher lists consist of the configuration's - // "ciphersuites" followed by the Go-specific "ciphers" from the guidelines. - // See: https://ssl-config.mozilla.org/guidelines/5.7.json + // The cipher and groups lists in these profiles are based on version 5.8 of the + // Mozilla Server Side TLS configuration guidelines. + // See: https://ssl-config.mozilla.org/guidelines/5.8.json + // + // The groups are listed in suggested preference order, with the most preferred group first. + // Note that not all platform components honor the ordering: Go-based components use Go's + // internal preference order and treat this list as a filter of allowed groups rather than + // an ordered preference. + // Note that X25519MLKEM768 is a post-quantum hybrid group that is not + // FIPS-approved and should be ignored by components running in FIPS mode. // // The profiles are intent based, so they may change over time as new ciphers are // developed and existing ciphers are found to be insecure. Depending on @@ -27,6 +33,10 @@ type TLSSecurityProfileApplyConfiguration struct { // old is a TLS profile for use when services need to be accessed by very old // clients or libraries and should be used only as a last resort. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS10 // ciphers: @@ -43,11 +53,14 @@ type TLSSecurityProfileApplyConfiguration struct { // - ECDHE-RSA-AES128-SHA256 // - ECDHE-ECDSA-AES128-SHA // - ECDHE-RSA-AES128-SHA + // - ECDHE-ECDSA-AES256-SHA384 + // - ECDHE-RSA-AES256-SHA384 // - ECDHE-ECDSA-AES256-SHA // - ECDHE-RSA-AES256-SHA // - AES128-GCM-SHA256 // - AES256-GCM-SHA384 // - AES128-SHA256 + // - AES256-SHA256 // - AES128-SHA // - AES256-SHA // - DES-CBC3-SHA @@ -56,6 +69,10 @@ type TLSSecurityProfileApplyConfiguration struct { // legacy clients and want to remain highly secure while being compatible with // most clients currently in use. // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. + // // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS12 // ciphers: @@ -71,7 +88,9 @@ type TLSSecurityProfileApplyConfiguration struct { Intermediate *configv1.IntermediateTLSProfile `json:"intermediate,omitempty"` // modern is a TLS security profile for use with clients that support TLS 1.3 and // do not need backward compatibility for older clients. - // + // The supported groups list includes by default the following groups + // in suggested preference order (ordering may not be honored by all implementations): + // X25519MLKEM768, X25519, secp256r1, secp384r1. // This profile is equivalent to a Custom profile specified as: // minTLSVersion: VersionTLS13 // ciphers: @@ -80,8 +99,11 @@ type TLSSecurityProfileApplyConfiguration struct { // - TLS_CHACHA20_POLY1305_SHA256 Modern *configv1.ModernTLSProfile `json:"modern,omitempty"` // custom is a user-defined TLS security profile. Be extremely careful using a custom - // profile as invalid configurations can be catastrophic. An example custom profile - // looks like this: + // profile as invalid configurations can be catastrophic. + // + // The supported groups list for this profile is empty by default. + // + // An example custom profile looks like this: // // minTLSVersion: VersionTLS11 // ciphers: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go index ede86ce365..9119cbe199 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultapproleauthentication.go @@ -9,7 +9,7 @@ package v1 type VaultAppRoleAuthenticationApplyConfiguration struct { // secret references a secret in the openshift-config namespace containing // the AppRole credentials used to authenticate with Vault. - // The secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. + // The referenced Secret must contain two keys: "role-id" for the AppRole Role ID and "secret-id" for the AppRole Secret ID. Secret *VaultSecretReferenceApplyConfiguration `json:"secret,omitempty"` } diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go index e8cd3bcdf2..736095a27d 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaultkmspluginconfig.go @@ -47,14 +47,10 @@ type VaultKMSPluginConfigApplyConfiguration struct { Authentication *VaultAuthenticationApplyConfiguration `json:"authentication,omitempty"` // transitMount specifies the mount path of the Vault Transit engine. // - // When omitted, this means the user has no opinion and the platform is left - // to choose a reasonable default. These defaults are subject to change over time. - // The current default is "transit". - // - // The transit mount must be between 1 and 1024 characters when specified, cannot start or - // end with a forward slash, cannot contain consecutive forward slashes, and must only contain - // RFC 3986 unreserved characters (alphanumeric, hyphen, period, underscore, tilde) and forward - // slashes as path separators. + // The transit mount must be between 1 and 1024 characters, cannot start or + // end with a forward slash, cannot contain consecutive forward slashes, and + // must only contain RFC 3986 unreserved characters (alphanumeric, hyphen, + // period, underscore, tilde) and forward slashes as path separators. TransitMount *string `json:"transitMount,omitempty"` // transitKey specifies the name of the encryption key in Vault's Transit engine. // This key is used to encrypt and decrypt data. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go index 9fba4e1a42..04bf8c3bf1 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1/vaulttlsconfig.go @@ -9,7 +9,7 @@ package v1 type VaultTLSConfigApplyConfiguration struct { // caBundle references a ConfigMap in the openshift-config namespace containing // the CA certificate bundle used to verify the TLS connection to the Vault server. - // The ConfigMap must contain the CA bundle in the key "ca-bundle.crt". + // The referenced ConfigMap must contain the CA bundle in the key "ca-bundle.crt". // When this field is not set, the system's trusted CA certificates are used. // // The namespace for the ConfigMap is openshift-config. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go index c47130a180..37c93f7e15 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/alertmanagercustomconfig.go @@ -13,8 +13,23 @@ import ( // AlertmanagerCustomConfig represents the configuration for a custom Alertmanager deployment. // alertmanagerCustomConfig provides configuration options for the default Alertmanager instance // that runs in the `openshift-monitoring` namespace. Use this configuration to control -// whether the default Alertmanager is deployed, how it logs, and how its pods are scheduled. +// whether user-defined namespaces are selected for AlertmanagerConfig lookups, how it logs, +// and how its pods are scheduled. type AlertmanagerCustomConfigApplyConfiguration struct { + // userAlertmanagerConfigSelection is an optional field that controls whether user-defined + // namespaces can be selected for AlertmanagerConfig lookups on the platform Alertmanager + // instance in the `openshift-monitoring` namespace. + // Valid values are Selectable and None. + // When set to Selectable, the platform Alertmanager discovers AlertmanagerConfig resources + // in user-defined namespaces. This is equivalent to `enableUserAlertmanagerConfig: true` in + // the cluster-monitoring-config ConfigMap. + // When set to None, user-defined namespaces are not selected for AlertmanagerConfig lookups + // on the platform Alertmanager. This is equivalent to `enableUserAlertmanagerConfig: false` + // in the cluster-monitoring-config ConfigMap. + // This setting only applies when the user-workload monitoring Alertmanager is not enabled. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, which is subject to change over time. + // The current default value is `None`. + UserAlertmanagerConfigSelection *configv1alpha1.UserAlertmanagerConfigSelection `json:"userAlertmanagerConfigSelection,omitempty"` // logLevel defines the verbosity of logs emitted by Alertmanager. // This field allows users to control the amount and severity of logs generated, which can be useful // for debugging issues or reducing noise in production environments. @@ -103,6 +118,14 @@ func AlertmanagerCustomConfig() *AlertmanagerCustomConfigApplyConfiguration { return &AlertmanagerCustomConfigApplyConfiguration{} } +// WithUserAlertmanagerConfigSelection sets the UserAlertmanagerConfigSelection field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the UserAlertmanagerConfigSelection field is set to the value of the last call. +func (b *AlertmanagerCustomConfigApplyConfiguration) WithUserAlertmanagerConfigSelection(value configv1alpha1.UserAlertmanagerConfigSelection) *AlertmanagerCustomConfigApplyConfiguration { + b.UserAlertmanagerConfigSelection = &value + return b +} + // WithLogLevel sets the LogLevel field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the LogLevel field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go index 8c6a288f50..a4a250fc24 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/nodeexporterconfig.go @@ -4,7 +4,6 @@ package v1alpha1 import ( configv1alpha1 "github.com/openshift/api/config/v1alpha1" - v1 "k8s.io/api/core/v1" ) // NodeExporterConfigApplyConfiguration represents a declarative configuration of the NodeExporterConfig type for use @@ -16,14 +15,6 @@ import ( // network statistics. // At least one field must be specified. type NodeExporterConfigApplyConfiguration struct { - // nodeSelector defines the nodes on which the Pods are scheduled. - // nodeSelector is optional. - // - // When omitted, this means the user has no opinion and the platform is left - // to choose reasonable defaults. These defaults are subject to change over time. - // The current default value is `kubernetes.io/os: linux`. - // When specified, nodeSelector must contain at least 1 entry and must not contain more than 10 entries. - NodeSelector map[string]string `json:"nodeSelector,omitempty"` // resources defines the compute resource requests and limits for the node-exporter container. // This includes CPU, memory and HugePages constraints to help control scheduling and resource usage. // When not specified, defaults are used by the platform. Requests cannot exceed limits. @@ -44,16 +35,6 @@ type NodeExporterConfigApplyConfiguration struct { // Minimum length for this list is 1. // Each resource name must be unique within this list. Resources []ContainerResourceApplyConfiguration `json:"resources,omitempty"` - // tolerations defines tolerations for the pods. - // tolerations is optional. - // - // When omitted, this means the user has no opinion and the platform is left - // to choose reasonable defaults. These defaults are subject to change over time. - // The current default is to tolerate all taints (operator: Exists without any key), - // which is typical for DaemonSets that must run on every node. - // Maximum length for this list is 10. - // Minimum length for this list is 1. - Tolerations []v1.Toleration `json:"tolerations,omitempty"` // collectors configures which node-exporter metric collectors are enabled. // collectors is optional. // Each collector can be individually enabled or disabled. Some collectors may have @@ -96,20 +77,6 @@ func NodeExporterConfig() *NodeExporterConfigApplyConfiguration { return &NodeExporterConfigApplyConfiguration{} } -// WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, the entries provided by each call will be put on the NodeSelector field, -// overwriting an existing map entries in NodeSelector field with the same key. -func (b *NodeExporterConfigApplyConfiguration) WithNodeSelector(entries map[string]string) *NodeExporterConfigApplyConfiguration { - if b.NodeSelector == nil && len(entries) > 0 { - b.NodeSelector = make(map[string]string, len(entries)) - } - for k, v := range entries { - b.NodeSelector[k] = v - } - return b -} - // WithResources adds the given value to the Resources field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, values provided by each call will be appended to the Resources field. @@ -123,16 +90,6 @@ func (b *NodeExporterConfigApplyConfiguration) WithResources(values ...*Containe return b } -// WithTolerations adds the given value to the Tolerations field in the declarative configuration -// and returns the receiver, so that objects can be build by chaining "With" function invocations. -// If called multiple times, values provided by each call will be appended to the Tolerations field. -func (b *NodeExporterConfigApplyConfiguration) WithTolerations(values ...v1.Toleration) *NodeExporterConfigApplyConfiguration { - for i := range values { - b.Tolerations = append(b.Tolerations, values[i]) - } - return b -} - // WithCollectors sets the Collectors field in the declarative configuration to the given value // and returns the receiver, so that objects can be built by chaining "With" function invocations. // If called multiple times, the Collectors field is set to the value of the last call. diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go index f2fda246e1..9210a0a308 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierconfig.go @@ -3,6 +3,7 @@ package v1alpha1 import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" v1 "k8s.io/api/core/v1" ) @@ -13,6 +14,31 @@ import ( // that runs in the `openshift-monitoring` namespace. // At least one field must be specified; an empty thanosQuerierConfig object is not allowed. type ThanosQuerierConfigApplyConfiguration struct { + // logLevel defines the verbosity of logs emitted by Thanos Querier. + // logLevel is optional. + // Allowed values are Error, Warn, Info, and Debug. + // When set to Error, only errors will be logged. + // When set to Warn, both warnings and errors will be logged. + // When set to Info, general information, warnings, and errors will all be logged. + // When set to Debug, detailed debugging information will be logged. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is `Info`. + LogLevel *configv1alpha1.LogLevel `json:"logLevel,omitempty"` + // requestLogging configures request logging for Thanos Querier. + // requestLogging is optional. + // When provided, the policy field within is required. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default behavior is to not log any requests. + RequestLogging *ThanosQuerierRequestLoggingConfigApplyConfiguration `json:"requestLogging,omitempty"` + // crossOriginRequestPolicy configures the CORS (Cross-Origin Resource Sharing) policy + // for Thanos Querier's HTTP endpoints. + // crossOriginRequestPolicy is optional. + // Valid values are "AllowAll" and "DenyAll". + // When set to "AllowAll", CORS headers are added to responses, allowing cross-origin requests from any domain. + // When set to "DenyAll", no CORS headers are added and cross-origin requests are rejected by the browser. + // When omitted, this means no opinion and the platform is left to choose a reasonable default, that is subject to change over time. + // The current default value is "DenyAll". + CrossOriginRequestPolicy *configv1alpha1.CrossOriginRequestPolicy `json:"crossOriginRequestPolicy,omitempty"` // nodeSelector defines the nodes on which the Pods are scheduled. // nodeSelector is optional. // @@ -69,6 +95,30 @@ func ThanosQuerierConfig() *ThanosQuerierConfigApplyConfiguration { return &ThanosQuerierConfigApplyConfiguration{} } +// WithLogLevel sets the LogLevel field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the LogLevel field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithLogLevel(value configv1alpha1.LogLevel) *ThanosQuerierConfigApplyConfiguration { + b.LogLevel = &value + return b +} + +// WithRequestLogging sets the RequestLogging field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the RequestLogging field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithRequestLogging(value *ThanosQuerierRequestLoggingConfigApplyConfiguration) *ThanosQuerierConfigApplyConfiguration { + b.RequestLogging = value + return b +} + +// WithCrossOriginRequestPolicy sets the CrossOriginRequestPolicy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the CrossOriginRequestPolicy field is set to the value of the last call. +func (b *ThanosQuerierConfigApplyConfiguration) WithCrossOriginRequestPolicy(value configv1alpha1.CrossOriginRequestPolicy) *ThanosQuerierConfigApplyConfiguration { + b.CrossOriginRequestPolicy = &value + return b +} + // WithNodeSelector puts the entries into the NodeSelector field in the declarative configuration // and returns the receiver, so that objects can be build by chaining "With" function invocations. // If called multiple times, the entries provided by each call will be put on the NodeSelector field, diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go new file mode 100644 index 0000000000..d9a6264426 --- /dev/null +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/config/v1alpha1/thanosquerierrequestloggingconfig.go @@ -0,0 +1,34 @@ +// Code generated by applyconfiguration-gen. DO NOT EDIT. + +package v1alpha1 + +import ( + configv1alpha1 "github.com/openshift/api/config/v1alpha1" +) + +// ThanosQuerierRequestLoggingConfigApplyConfiguration represents a declarative configuration of the ThanosQuerierRequestLoggingConfig type for use +// with apply. +// +// ThanosQuerierRequestLoggingConfig configures request logging for Thanos Querier. +type ThanosQuerierRequestLoggingConfigApplyConfiguration struct { + // policy determines which HTTP and gRPC requests are logged by Thanos Querier. + // Valid values are "AllRequests" and "NoRequests". + // When set to "AllRequests", every request received by Thanos Querier is logged with method, path, and response status. + // The log level for request logs is derived from the logLevel field. + // When set to "NoRequests", request logging is turned off. + Policy *configv1alpha1.RequestLoggingPolicy `json:"policy,omitempty"` +} + +// ThanosQuerierRequestLoggingConfigApplyConfiguration constructs a declarative configuration of the ThanosQuerierRequestLoggingConfig type for use with +// apply. +func ThanosQuerierRequestLoggingConfig() *ThanosQuerierRequestLoggingConfigApplyConfiguration { + return &ThanosQuerierRequestLoggingConfigApplyConfiguration{} +} + +// WithPolicy sets the Policy field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the Policy field is set to the value of the last call. +func (b *ThanosQuerierRequestLoggingConfigApplyConfiguration) WithPolicy(value configv1alpha1.RequestLoggingPolicy) *ThanosQuerierRequestLoggingConfigApplyConfiguration { + b.Policy = &value + return b +} diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go index 913a6be828..10bf2d9bdd 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/internal/internal.go @@ -613,6 +613,7 @@ var schemaYAML = typed.YAMLObject(`types: - name: kms type: namedType: com.github.openshift.api.config.v1.KMSPluginConfig + default: {} - name: type type: scalar: string @@ -1123,6 +1124,35 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.BuildOverrides default: {} +- name: com.github.openshift.api.config.v1.ClientCredentialConfig + map: + fields: + - name: clientID + type: + scalar: string + - name: clientSecret + type: + namedType: com.github.openshift.api.config.v1.ClientSecretSecretReference + default: {} + - name: scopes + type: + list: + elementType: + scalar: string + elementRelationship: associative + - name: tls + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceTLS + default: {} + - name: tokenEndpoint + type: + scalar: string +- name: com.github.openshift.api.config.v1.ClientSecretSecretReference + map: + fields: + - name: name + type: + scalar: string - name: com.github.openshift.api.config.v1.CloudControllerManagerStatus map: fields: @@ -1791,6 +1821,37 @@ var schemaYAML = typed.YAMLObject(`types: - name: ingressIP type: scalar: string +- name: com.github.openshift.api.config.v1.ExternalClaimsSource + map: + fields: + - name: authentication + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceAuthentication + default: {} + - name: mappings + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.SourcedClaimMapping + elementRelationship: associative + keys: + - name + - name: predicates + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.ExternalSourcePredicate + elementRelationship: associative + keys: + - expression + - name: tls + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceTLS + default: {} + - name: url + type: + namedType: com.github.openshift.api.config.v1.SourceURL + default: {} - name: com.github.openshift.api.config.v1.ExternalIPConfig map: fields: @@ -1832,6 +1893,35 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.CloudControllerManagerStatus default: {} +- name: com.github.openshift.api.config.v1.ExternalSourceAuthentication + map: + fields: + - name: clientCredential + type: + namedType: com.github.openshift.api.config.v1.ClientCredentialConfig + default: {} + - name: type + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference + map: + fields: + - name: name + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourcePredicate + map: + fields: + - name: expression + type: + scalar: string +- name: com.github.openshift.api.config.v1.ExternalSourceTLS + map: + fields: + - name: certificateAuthority + type: + namedType: com.github.openshift.api.config.v1.ExternalSourceCertificateAuthorityConfigMapReference + default: {} - name: com.github.openshift.api.config.v1.ExtraMapping map: fields: @@ -2940,6 +3030,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: networkType type: scalar: string +- name: com.github.openshift.api.config.v1.NetworkObservabilitySpec + map: + fields: + - name: installationPolicy + type: + scalar: string - name: com.github.openshift.api.config.v1.NetworkSpec map: fields: @@ -2956,6 +3052,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1.NetworkDiagnostics default: {} + - name: networkObservability + type: + namedType: com.github.openshift.api.config.v1.NetworkObservabilitySpec + default: {} - name: networkType type: scalar: string @@ -3318,6 +3418,12 @@ var schemaYAML = typed.YAMLObject(`types: elementType: namedType: com.github.openshift.api.config.v1.TokenClaimValidationRule elementRelationship: atomic + - name: externalClaimsSources + type: + list: + elementType: + namedType: com.github.openshift.api.config.v1.ExternalClaimsSource + elementRelationship: atomic - name: issuer type: namedType: com.github.openshift.api.config.v1.TokenIssuer @@ -4201,6 +4307,24 @@ var schemaYAML = typed.YAMLObject(`types: type: scalar: string default: "" +- name: com.github.openshift.api.config.v1.SourceURL + map: + fields: + - name: hostname + type: + scalar: string + - name: pathExpression + type: + scalar: string +- name: com.github.openshift.api.config.v1.SourcedClaimMapping + map: + fields: + - name: expression + type: + scalar: string + - name: name + type: + scalar: string - name: com.github.openshift.api.config.v1.Storage map: fields: @@ -4834,6 +4958,9 @@ var schemaYAML = typed.YAMLObject(`types: keys: - topologyKey - whenUnsatisfiable + - name: userAlertmanagerConfigSelection + type: + scalar: string - name: volumeClaimTemplate type: namedType: PersistentVolumeClaim.v1.core.api.k8s.io @@ -5343,6 +5470,10 @@ var schemaYAML = typed.YAMLObject(`types: type: namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorProcessesConfig default: {} + - name: softirqs + type: + namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig + default: {} - name: systemd type: namedType: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSystemdConfig @@ -5408,6 +5539,12 @@ var schemaYAML = typed.YAMLObject(`types: - name: collectionPolicy type: scalar: string +- name: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSoftirqsConfig + map: + fields: + - name: collectionPolicy + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.NodeExporterCollectorSystemdCollectConfig map: fields: @@ -5454,11 +5591,6 @@ var schemaYAML = typed.YAMLObject(`types: - name: maxProcs type: scalar: numeric - - name: nodeSelector - type: - map: - elementType: - scalar: string - name: resources type: list: @@ -5467,12 +5599,6 @@ var schemaYAML = typed.YAMLObject(`types: elementRelationship: associative keys: - name - - name: tolerations - type: - list: - elementType: - namedType: Toleration.v1.core.api.k8s.io - elementRelationship: atomic - name: com.github.openshift.api.config.v1alpha1.OAuth2 map: fields: @@ -6075,11 +6201,21 @@ var schemaYAML = typed.YAMLObject(`types: - name: com.github.openshift.api.config.v1alpha1.ThanosQuerierConfig map: fields: + - name: crossOriginRequestPolicy + type: + scalar: string + - name: logLevel + type: + scalar: string - name: nodeSelector type: map: elementType: scalar: string + - name: requestLogging + type: + namedType: com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig + default: {} - name: resources type: list: @@ -6103,6 +6239,12 @@ var schemaYAML = typed.YAMLObject(`types: keys: - topologyKey - whenUnsatisfiable +- name: com.github.openshift.api.config.v1alpha1.ThanosQuerierRequestLoggingConfig + map: + fields: + - name: policy + type: + scalar: string - name: com.github.openshift.api.config.v1alpha1.UppercaseActionConfig map: fields: diff --git a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go index 79f4f85681..47aab90c8e 100644 --- a/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go +++ b/vendor/github.com/openshift/client-go/config/applyconfigurations/utils.go @@ -78,6 +78,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.BuildOverridesApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("BuildSpec"): return &configv1.BuildSpecApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClientCredentialConfig"): + return &configv1.ClientCredentialConfigApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ClientSecretSecretReference"): + return &configv1.ClientSecretSecretReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CloudControllerManagerStatus"): return &configv1.CloudControllerManagerStatusApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("CloudLoadBalancerConfig"): @@ -150,6 +154,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.DNSZoneApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("EquinixMetalPlatformStatus"): return &configv1.EquinixMetalPlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalClaimsSource"): + return &configv1.ExternalClaimsSourceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalIPConfig"): return &configv1.ExternalIPConfigApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalIPPolicy"): @@ -158,6 +164,14 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.ExternalPlatformSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExternalPlatformStatus"): return &configv1.ExternalPlatformStatusApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceAuthentication"): + return &configv1.ExternalSourceAuthenticationApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceCertificateAuthorityConfigMapReference"): + return &configv1.ExternalSourceCertificateAuthorityConfigMapReferenceApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourcePredicate"): + return &configv1.ExternalSourcePredicateApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("ExternalSourceTLS"): + return &configv1.ExternalSourceTLSApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("ExtraMapping"): return &configv1.ExtraMappingApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("FeatureGate"): @@ -290,6 +304,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.NetworkDiagnosticsTargetPlacementApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkMigration"): return &configv1.NetworkMigrationApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("NetworkObservabilitySpec"): + return &configv1.NetworkObservabilitySpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkSpec"): return &configv1.NetworkSpecApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("NetworkStatus"): @@ -416,6 +432,10 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1.SecretNameReferenceApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("SignatureStore"): return &configv1.SignatureStoreApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("SourcedClaimMapping"): + return &configv1.SourcedClaimMappingApplyConfiguration{} + case v1.SchemeGroupVersion.WithKind("SourceURL"): + return &configv1.SourceURLApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("Storage"): return &configv1.StorageApplyConfiguration{} case v1.SchemeGroupVersion.WithKind("TemplateReference"): @@ -642,6 +662,8 @@ func ForKind(kind schema.GroupVersionKind) interface{} { return &configv1alpha1.TelemeterClientConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("ThanosQuerierConfig"): return &configv1alpha1.ThanosQuerierConfigApplyConfiguration{} + case v1alpha1.SchemeGroupVersion.WithKind("ThanosQuerierRequestLoggingConfig"): + return &configv1alpha1.ThanosQuerierRequestLoggingConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("TLSConfig"): return &configv1alpha1.TLSConfigApplyConfiguration{} case v1alpha1.SchemeGroupVersion.WithKind("UppercaseActionConfig"): diff --git a/vendor/modules.txt b/vendor/modules.txt index fdc24aa88f..a373fabaa7 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -172,11 +172,11 @@ github.com/go-logr/stdr # github.com/go-logr/zapr v1.3.0 ## explicit; go 1.18 github.com/go-logr/zapr -# github.com/go-openapi/jsonpointer v0.22.5 -## explicit; go 1.24.0 +# github.com/go-openapi/jsonpointer v0.23.1 +## explicit; go 1.25.0 github.com/go-openapi/jsonpointer -# github.com/go-openapi/jsonreference v0.21.5 -## explicit; go 1.24.0 +# github.com/go-openapi/jsonreference v0.21.6 +## explicit; go 1.25.0 github.com/go-openapi/jsonreference github.com/go-openapi/jsonreference/internal # github.com/go-openapi/swag v0.25.5 @@ -191,8 +191,8 @@ github.com/go-openapi/swag/conv # github.com/go-openapi/swag/fileutils v0.25.5 ## explicit; go 1.24.0 github.com/go-openapi/swag/fileutils -# github.com/go-openapi/swag/jsonname v0.25.5 -## explicit; go 1.24.0 +# github.com/go-openapi/swag/jsonname v0.26.1 +## explicit; go 1.25.0 github.com/go-openapi/swag/jsonname # github.com/go-openapi/swag/jsonutils v0.25.5 ## explicit; go 1.24.0 @@ -307,7 +307,7 @@ github.com/monochromegane/go-gitignore github.com/munnerz/goautoneg # github.com/onsi/ginkgo v1.16.5 ## explicit; go 1.16 -# github.com/openshift/api v0.0.0-20260528061300-9f553042f9ae +# github.com/openshift/api v0.0.0-20260609121705-d3390bd1109f ## explicit; go 1.25.0 github.com/openshift/api/config/v1 github.com/openshift/api/config/v1alpha1 @@ -321,7 +321,7 @@ github.com/openshift/api/machineconfiguration/v1 github.com/openshift/api/operator/v1 github.com/openshift/api/operator/v1alpha1 github.com/openshift/api/route/v1 -# github.com/openshift/client-go v0.0.0-20260512113608-deb4dc54551a +# github.com/openshift/client-go v0.0.0-20260603140539-6892dc3e1ffc ## explicit; go 1.25.0 github.com/openshift/client-go/config/applyconfigurations github.com/openshift/client-go/config/applyconfigurations/config/v1 @@ -360,7 +360,7 @@ github.com/openshift/client-go/route/applyconfigurations/internal github.com/openshift/client-go/route/applyconfigurations/route/v1 github.com/openshift/client-go/route/clientset/versioned/scheme github.com/openshift/client-go/route/clientset/versioned/typed/route/v1 -# github.com/openshift/library-go v0.0.0-20260528084301-c7d432293c13 +# github.com/openshift/library-go v0.0.0-20260609093731-5637f8b25b0d ## explicit; go 1.25.0 github.com/openshift/library-go/pkg/image/imageutil github.com/openshift/library-go/pkg/image/internal/digest @@ -1281,7 +1281,7 @@ k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/sloghandler k8s.io/klog/v2/internal/verbosity k8s.io/klog/v2/textlogger -# k8s.io/kube-openapi v0.0.0-20260520065146-aa012df4f4af +# k8s.io/kube-openapi v0.0.0-20260603220949-865597e52e25 ## explicit; go 1.24.0 k8s.io/kube-openapi/pkg/cached k8s.io/kube-openapi/pkg/common From 32616f8721373c738e32870cafabf86074a0ea0c Mon Sep 17 00:00:00 2001 From: Jose Valdes Date: Tue, 9 Jun 2026 11:54:55 -0400 Subject: [PATCH 6/6] [submodule][cloud-provider-aws] Update to d5b48e88 Update to https://github.com/openshift/cloud-provider-aws/commit/d5b48e88d31113954ed45b4c37c383a7df30eed8 This commit was generated using hack/update_submodules.sh --- cloud-provider-aws | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cloud-provider-aws b/cloud-provider-aws index ce31a2b115..d5b48e88d3 160000 --- a/cloud-provider-aws +++ b/cloud-provider-aws @@ -1 +1 @@ -Subproject commit ce31a2b11578c75a7537ce3c3ef146d7a864b0a0 +Subproject commit d5b48e88d31113954ed45b4c37c383a7df30eed8